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INTRODUCTION 


1.  Introduction. 


1.1.  Motivation  and  general  comments. 


The  best  guarantee  is  to  find  programs  which  are  not  too  hard 
to  execute,  but  can  be  applied  to  very  '■many"  instances  of 
interest.  G.Kreisel  [1981] 

The  question  of  finding  convenient  representations  for  mathematical  facts  is  one  of  the  most 
interesting  challenges  in  the  field  of  mechanical  theorem  proving.  A  solution  should  lead  natuialK 
to  other  applications.  Thus,  given  a  problem,  instead  of  simply  asking  whether  one  can  find  a 
particular  representation  that  enables  a  machine  to  .solve  it,  one.  should  also  ask: 

—  .4re  We  learning  something  else  from  this  experiment,  besides  the  fact  that  the  (usually  well 
known)  theorem  is  true?y 

—  Is  our  representation  abstract  enough  to  allow  applications  of  the  result  to  similar  problems? 
For  otherwise,  given  the  well  known  present  limitations  of  mechanical  theorem  provers.  it  is  hard  to 
imagine  that  the  natural  customer  of  the  technology  of  automatic  proof-checking,  i.e.  the  working 
mathematician  or  teacher  of  mathematics,  may  ever  find  any  appeal  in  it. 

In  the  experiments  described  in  this  paper  we  have  tried  to  meet  this  challenge  l)y  using  the 
proof  checker  EKL,  a  system  whose  flexibility  is  increased  by  the  use  of  high  order  logic.  Using  the 
expressive  power  of  EKL  we  abstractly  represent  a  result  in  second  order  language,  prove  it  and  then 
apply  it  in  a  natural  way  to  different  contexts. 

The  focus  of  our  experiment  is  the  basic  theory  of  permutations.  .4  permutation  is  a  bijection 
of  a  (finite)  set  into  itself.  Our  aim  is  to  prove  that  permutations  of  a  finite  set,  with  the  operation 
of  composition  of  functions,  form  a  group.  Specifically,  given  a  finite  set  S,  we  want  to  show  that 

(1)  the  composition  f  o  g  oi  two  permutations  /  and  g  on  S  is  a  permutation  on  5  and 
composition  is  associative; 

(2)  the  identity  function  i  on  5  is  a  permutation;  for  any  permutation  /  on  5,  io  f  =  J  (left 
identity)  and  f  oi  =  /  ( right  identity) 

(.3)  if  /  is  a:  permutation  on  5,  then  there  is  a  permutation  of  5  such  that  /  ^  o  /  =  ; 
(left  inverse)  and  f  0  f-'^  =  i  {right  inverse). 

EKL  can  easily  express  such  facts  in  first  or  higher  order  logic.  We  can  simply  prove  the 
facts  stated  above  using  elementary  set  theory.  In  the  proof  we  need  the  ‘pigeon  hole’  principle  of 
elementary  arithmetic:  if  we  want  to  fill  each  of  n  holes  and  we  have  only  n  objects,  then  no  hole 
can  contain  more  than  one  object.  The  proof  of  this  fact  is  not  entirely  trivial.  Although  it  can 
be  formulated  in  the  language  of  first  order  logic  with  symbols  for  order,  successor  and  a  lunction 
symbol,  it  cannot  be  proved  in  the  fragment  of  arithmetic  having  the  usual  axioms  for  order  and 
successor  plus  induction  applied  to  unary  formulas  only  [Goad  1979].  Our  proof  of  the  pigeon  hole 
principle,  expressed  in  second  order  arithmetic,  presents  no  such  difficulties,  since  we  do  not  restrict 
the  inductive  principle  available  to  EKL. 

The  mathematical  notions  considered  here  do  not  require  higher  order  logic  in  an  ‘essential 
way’.  Any  fact  stated  herein  could  be  rephrased  in  terms  of  first  ol  der  logic.  Rather,  the  expressive 
power  of  EKL  is  used  to  emphasize  the  freedom  in  the  choice  of  representations  and  flexil.)ility  proving 
facts. 
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There  are  many  ways  of  representing  finite  functions.  Having  chosen  one.  we  must  dofine  the 
operations  of  composition  of  functions,  the  identity  function  and  tlie  o[)eration  of  taking  the  inverse 
of  a  function.  Then  we  must  prove  the  facts  (1)  -  (3)  using  that  interpretation. 

We  can  always  assume  that  a  representation  of  a  finite  set  of  objects  gives  also  an  enumeration  * 

of  it.  Therefore  we  may  represent  finite  functions  as  lists  ^.i\d  use  the  axioms  of  LISP  to  prove  facts 
about  them. 

We  give  two  different  representations  of  permutations,  one  using  association  lists  and  the 
other  using  lists  of  numbers.  In  the  first  case  the  association  list  contains  the  graph  of  the  function.  ^ 

Domain  and  range  are  represented  by  lists  obtained  in  the  obvious  way  from  tiie  given  association 
list.  In  the  second  case  the  list  contains  the  range  in  the  order  given  by  the  domain.  The  domain 
is  not  represented  by  a  list:  rather  it  is  a  segment  of  the  set  of  natural  numbers.  In  tliis  sense  we 
have  a  more  abstract  representation,  in  which  it  is  slightly  easier  to  apply  the  pigeon  hole  principle 
as  an  abstract  fact  of  arithmetic.  This  representation  has  been  traditionally  used  in  mathematics 
in  order  to  talk  about  finite  permutations. 

The  application  of  the  pigeon  hole  principle  occurs  at  similar  points  of  the  proofs,  but  the 
second  order  statement  expressing  it  is  instantiated  by  different  functions.  The  improvement  of 
efficiency  obtained  by  higher  order  logic  is  particularly  obvious  here. 

We  also  give  two  versions  of  the  results  for  representations  using  lists  of  iuiml)ers.  In  the  first 
version  the  operations  of  composition,  identity  and  inverse  are  defined  by  predicates:  we  shall  call 
it  Permutation-Predicate  or  PERMP.  In  the  second  these  operations  are  defined  by  functions;  we 
shall  call  this  api)roach  PERMF.  for  Permutation-Function. 

The  contrast  between  the  representations  through  predicates  and  through  functions  is  an  aspect 
of  the  tension  between  extensional  and  intensional  approaches  to  mathematics.  Tliis  is  relevant  in 
general  to  the  automatic  verification  of  the  correctness  of  programs.  The  way  we  dealt  with  this 
tension  can  be  taken,  in  some  sense,  as  the  'moral’  of  our  experiment.  We  try  to  summarize  our 
point  in  the  following  (idealized)  history  of  the  project. 

Suppose  we  have  written  a  LISP  program  for  permutations,  using  any  representation  and  we 
want  to  prove  it  correct  Myv  pencil  and  paper’.  If  we  are  willing  to  assume  the  pigeon  hole  principle 
as  evident  and  to  justify  tlie  inferences  by  the  label  'evident  by  elementary  arithmetic',  then  the 
proof  of  correctness  is  fairly  simple,  no  matter  what  representation  one  chooses.  Only  the  forms  of 
the  inductions  recpiire  some  thought. 

On  the  othei‘  hand,  if  we  try  to  check  our  proof  mechanically,  say  using  EKL,  and  have  in  our 
proof  library  only  simple  facts  of  arithmetic  and  of  LISP,  then  the  task  may  look  discouraging.  Too 
many  facts  of  elementary  arithmetic  and  LISP  functions  may  be  needed,  especially  if  we  stick  to 
the  original  form  of  our  recursive  progr.ams  in  a  'too  constructive'  fashion. 

This  feeling  of  uneasiness  is  well  known  and  perhaps  unavoidable  in  the  early  stage  of  such 
enterprise  as  ours:  since  the  first  efforts  of  large  scale  formalization  of  elementary  mathematics 
(e.g.  Russell  and  Whitehead’s  ''Principia”),  it  became  obvious  that  the  amount  of  innocent  presup¬ 
positions  hidden  in  intuitive  arguments  grows  to  the  size  of  tropical  forest  in  a  full  formalization. 

However,  our  experiments  and  many  others  show  that  some  nontrivial  results  are  indeed  provable, 
when  the  basic  proof  libraries  are  reasonably  furnished.  It  is  also  likely  that  simj)le  improvements 
of  EKL —more  semantic  attachments — will  make  our  task  easier. 

.Minor  details  in  the  choice  of  the  representation  and  in  the  formulation  of  the  results  may  have 
major  consequences  in  terms  of  length  of  the  proofs  and  feasil)ility  of  the  project.  For  instance,  the 
re[)resentation  of  permutations  in  terms  of  association  lists  makes  most  proofs  easy  ap])lications  of 
one  induction  principle,  induction  on  association  lists.  However,  more  work  is  needed  to  show  that  ^rv 

tliese  facts  on  association  lists  actually  establish  the  desired  facts  about  permutations:  indecnl  the 


represent ation  by  association  list — unlike  that  by  lists  of  ninnbers — is  not  iiniciiie.  A  i)erniutn!ioii 
is  represented  by  an  eciuivalence  class  of  association  lists,  not  by  a  single  association  list.  Hence 
one  needs  a  canonical  way  to  choose  re])resentatives.  a  normal  form,  that  can  be  obtained  e.g.  by 
ordering  the  field  of  the  permutations.  It  is  reasonable  to  consider  other  representations  having  the 
iiniciiieness  property. 

At  first  sight  there  seems  to  be  no  question  that  it  is  better  to  represent  our  operations 
by  functions  rather  than  by  predicates.  One  can  test  this  assumption  by  comparing  our  two 
versions  PERMP  and  PERMF:  to  find  a  confirmatioiu  one  just  looks  at  the  treatment  of  composition  of 
permutations  and  the  proof  that  composition  is  associative.  The  operation  on  lists  that  represents 
composition  of  functions  is  better  represented  as  a.  binary  function,  defined  by  recursion  on  the  first 
list,  rather  than  a  ternary  predicate.  Indeed  in  the  first  case  we  can  use  a  straightforward  proof  l)y 
induction  on  the  recursive  definition  of  the  functions,  whereas  in  the  second  case  predicates  re(iuire 
some  relatively  complicated  substitutions.  Finding  these  substitutions  would  require  a  huge  number 
of  random  attempts  if  they  were  done  without  human  direction. 

Interestingly  enough,  many  other  proofs  employing  list  representation  are  easier  when  the 
notions  in  question  are  formulated  using  predicates  rather  than  functions.  This  is  true  especially 
of  proofs  about  the  identity  and  the  inverse  of  a  permutation.  In  the  version  PERMP,  such  proofs 
are  simply  obtained  by  expanding  the  assumptions  and  the  definitions.  In  the  version  PERMF.  the 
recursive  definitions  may  be  quite  complicated,  and  the  inductive  proofs  become  quite  involved. 

This  situation  is  in  many  ways  analogous  to  problems  in  various  areas  of  mathematics.  In  the 
representation  through  functions  the  intensional  features  of  our  programs  are  closely  represented. 
Oil  the  contrary,  in  the  representation  through  predicates  only  the  extensional  properties  of  our 
functions  are  relevant.  It  is  well  known  that  in  most  mathematical  practice  only  extensional  facts 
are  considered.  may  say  tliat  predicates  allow  slightly  more  abstract  definitions  of  the  opcu- 
ations  than  functions.  In  mathematics  often  a  small  progress  towards  abstraction  simplifies  the 
presentation  considerably. 

If  we  start  our  proof  of  correctness  with  the  definitions  contained  in  the  version  PERMF,  we  may 
find  it  convenient  to  look  at  the  definitions  of  the  operations  in  PERMP  and  to  prove  them  first  as 
lemmata.  One  can  then  use  these  facts  in  different  contexts  instead  of  going  through  longer  direct 
proofs. 

Abstracting  lemmata  and  breaking  arguments  into  suitable  parts  is  the  basis  for  mathematical 
(‘ommunication:  it  makes  proof ‘easy  to  take  and  easy  to  remember'.  This  remark  by  Kreisel  (a 
variation  on  a  theme  by  Wittgenstein)  is  highly  appropriate  here.  The  readability  of  mechanical 
proofs  depends  on  such  devices  even  more  than  the  readability  of ‘pencil  and  paper'  proofs.  An 
automatic  proof  of  correctness  of  previously  written  programs  may  be  too  long  and  tedious  for 
human  consumption.  better  organization  of  the  problem,  based  on  more  abstract  consideralion 
of  the  facts  in  question,  may  significantly  increase  the  readability  of  such  proofs. 

Some  objections  may  be  raised  to  our  remarks.  .On  one  side,  one  may  argue  that  it  is  not  clear 
wliat  counts  as  evidence  in  favour  of  our  claims:  isn't  it  after  all  just  a  question  of  mathematical 
lasir! 

On  the  other  side,  even  granting  our  claims,  one  may  be  a  priori  skeptical  about  the  relevance 
of  our  investigation.  Haven't  we  simply  verified,  through  mechanical  proof  checking  of  inatliemat- 
ically  trivial  examples  the  well  known  fact  that  there  are  good  and  bad  styles  of  mathematical 
presentation?  Can  we  expect  any  interesting  theoretical  discovery  to  result  from  experiments  ol 
this  kind? 

In  our  experiments  we  search  for  methods  to  effectively  use  the  given  technology  and  lor 
guidelines  toim|)rove  it.  (’iirrent  practice  of  informal  mat  liematics  and  theoretical  results  Irom  logic 
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do  not  immediately  provide  all  the  relevant  information.  Proof  checking  i.s  a  practice  of  iiitt'raclion 
between  a  user  and  a  given  technology,  in  which  human  capacities,  technical  possibilities,  linguistic 
features  and  methods  of  interaction  are  all  relevant.  For  instance,  we  know  from  the  Normalization 
Theorem  in  Proof  Theory  that  direct  proofs  are  generally  longer  than  those  using  lemmata.  It 
is  very  well  possible  that  different  languages  or  different  theorem  provers  may  suggest  differetit 
strategies  of  proof  checking.  In  particular,  we  cannot  rule  out  the  possibility  that  language  may  be 
created,  a  technology  produced  and  experiment  exibited  in  which,  say.  most  of  our  lemmata  liave 
convenient  direct  proofs.  Only  experience  can  decide.  But  given  a  certain  technology,  practice  docs 
indeed  show  what  directions  are  convenient  and  what  projects  feasible.  Strategies  and  methods  of 
proofs,  not  only  the  subjective  qualities  of  the  user,  are  decisive  in  determining  the  success  of  a 
project. 

On  the  other  hand,  no  matter  how  plausible  the  reasons  of  the  skeptic  may  look,  the  per¬ 
formance  of  automatic  proof  checkers  has  been  remarkably  improved  since  the  first  experiments. 
Instruments  are  available  that  allow  a  ‘microscopic’  analysis  of  mathematical  proofs;  a  certain 
amont  of  experimentation  has  already  been  performed.  The  analysis  of  what  is  usually  regarded  as 
‘style’  of  presentation  may  possibly  disclose  important  features  of  proofs,  that  have  been  overlooked 
so  far.  Above  all,  this  work  is  a  necessary  preliminary  step  to  start  applying  automatic  proof  Irans- 
formations  (e.g.  extraction  of  bounds,  transformation  of  non  elementary  proofs  into  elementary 
ones,  cut  elimination  and  functional  interpretation,  etc.)  to  mathematically  significant  examples. 
And  there,  for  a  logician,  the  real  fun  begins. 

1.2.  The  Proofs  in  EKL. 

EKL  is  a  proof  checker  and  constructor  that  uses  a  typed  language,  a  rewriting  system,  a 
decision  procedure  and  semantic  attachments. 

The  language  of  EKL  is  described  in  detail  in  the  user’s  manual  [Ketonen  and  Weening  19S  |]. 
For  the  sake  of  completeness,  we  will  describe  some  of  the  basic  facets  of  this  system. 

Remark  1.  EKL  does  not  distinguish  between  uppercase  and  lowercase.  As  a  convention,  in 
this  paper  we  will  use  lowecase  typeweriter-like  font  for  commands  and  formulas  occurring  witliin 
a  command,  and  uppercase  typeweriter-like  font  for  the  formulas  returned  by  EKL.  The  output  of 
EKL  is  preceded  by  semicolon.  Thus 

(trw  IpDpI) 

is  a  command  (asking  EKL  to  verify  a  tautology)  and 
;P  is  unknown. 

;the  symbol  P  declared  to  have  type  TRUTHVAL 
;PDP 

is  the  answer  by  EKL.  The  first  two  lines  inform  us  that  a  default  declaration  has  been  made:  t  lie 
third  tells  that  EKL  has  verified  the  tautology. 

We  thank  J.  McCarthy  for  his  constant  support  and  encouragement.  We  owe  C.  Talcott  many 
ideas  and  suggestions  at  various  stages  of  the  work.  Thanks  to  R.  Casley  and  J.  Weening  for  t  heir 
fundamental  TEXnical  help.  This  research  was  supported  by  grants  N.SF  MCS  82-0().56.'i  and  .AllP.V 
N000-;39-.S2-C-02.50 
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Remark  2.  EKL  commands  use  the  LISP  syntax 
(funct  argl  . . .  argn) 

where  the  function  (command)  funct  is  applied  to  the  arguments  argl  .  .  .  argn.  In  describing 
such  commands  we  use  the  expressions  hoptional  and  &zrcst. 

(funct  argl  .  .  .  ^optional  argj  .  .  .  krest  param) 

"koptionar  indicates  that  all  arguments  following  it  are  optional  and  are  given  a  default  value  if 
omitted,  'ki'esf  means  that  ^param'  indicates  the  the  list  of  all  arguments  following  it,  ratlier  than 
a  single  parameter. 


1.2.1.  The  Language  specified  by  EKL. 

A  list  of  linguistic  attributes,  i.e.  a  declaration^  is  associated  with  every  atom.  The  main 
attributes  of  a  declaration  are  the  type^  the  syntype  and  the  sort 

The  type  of  an  EKL  object  tells  how  that  object  can  be  applied.  For  example,  an  object  of 
type  ground  -»  ground  can  be  applied  to  objects  of  type  ground  resulting  in  an  object  of  type 
ground.  An  object  of  type  ground*  ground  can  be  applied  to  any  number  of  objects  of  type 
ground  resulting  in  an  object  of  type  ground.  Thus  objects  of  this  type  could  be  regarded  as  having 
variable  arity,  A  sentence  is  an  object  of  type  truthval.  A  unary  predicate  is  an  object  of  type 
ground  truthval.  Sets  can  also  be  represented  as  objects  of  this  type. 

In  declaring  the  type  of  a  new  entity,  the  operator  @  gives  the  type  of  a  (previously  defined) 
object.  Thus 

(decl  setseq  (type:  |®n->@set|)) 

establishes  that  setseq  has  the  type  of  a  sequence  of  sets,  i.e.  the  type  of  a  function  from  objects 
of  the  type  of  natural  numbers  to  objects  of  the  type  of  sets.  Since  natural  numbers  have  type 
ground  and  sets  have  type  ground-^truthval,  the  above  declaration  is  the  same  as 

(decl  setseq  (type:  lground-^(ground-*truthval)  I ) ) . 

The  syntype  specifies  whether  a  linguistic  object  is  a  variable  —  so  that  it  can  be  quantified 
— ,  a  constant  —  so  that  it  cannot  be  quantified  —  or  a  hindop,  an  operator  binding  variables. 

A  sort  in  EKL  is  simply  a  unary  predicate.  Every  EKL  symbol  has  a  sort.  The  default  is 
universal  —  the  most  general  sort  of  any.  type. 

Typically  we  may  have  a  variable  n  of  sort  natnum  and  a  variable  x  of  sort  universal.  Then 
statements  like  Vn.P(n)  are  equivalent  to  Vx.natnuin(x)3P(x). 

In  existential  generalization,  A-abstraction  etc.  EKL  checks  whether  the  term  in  question  sat¬ 
isfies  sort  restrictions.  For  example,  the  formula  Vn. A(n)3Vx. A(x)  is  not  provable  in  the  above 
situation,  unless  facts  like  Vx.natnum(x)  are  in  use. 

The  information  that  a  function  is  defined  for  a  certain  argument  (or  that  a  program  termi¬ 
nates)  can  be  given  as  a  fact  about  sorts.  In  the  following  example,  to  prove  that  nuinseq(m)  is  of 
the  sort  natnum  is  to  show  that  the  function  numseq  is  defined  for  m  as  an  arguniont.  Of  course  EKL 
has  cannot  determine  this  just  from  the  declaration  of  numseq. 
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(proof  sums) 

(decl  (i  j  k  m  n)  (sort:  natnum)) 
(decl  numseq  (type:  |@n-+@n|)) 


(derive  I Vm.natnum(numseq(m) ) I) 

;  failed  to  derive 
NATNUM(NUMSEQ(N)) 

(trw  I Vm. natnum (numseq (m)) I) 

; ( VM . NATNUM (NUMSEQ (M) ) ) s (VM . NATNUM (NUMSEQ (M) ) ) 

Some  EKL  symbols  are  predeclared:  we  cannot  modify  their  attributes.  We  can  introduce 
linguistic  objects  using  the  EKL  command  DECLARE: 

(/)  (decl  <symbol>  .  <attributes>). 

If  wo  introduce  a  new  symbol  without  declaring  it,  EKL  tries  a  default  declaration  and  tells  us  wliat 
it  is. 

A  context  is  simply  a  list  of  declarations  for  atoms. 


1.2.2.  Proofs  and  Lines  in  EKL. 

A  proof  in  EKL  consists  of  lines.  Each  line  in  a  proof  is  a  result  of  a  command.  Tliere  are 
several  different  types  of  lines: 

(1)  Lines  that  result  from  declarations.  These  have  the  effect  of  setting  the  context  of  a  lim' 
and  adjoining  the  declaration  to  the  current  context. 

(2)  Lines  resulting  from  other  commands. 

Examples: 

{//)  (assume  wff) 

The  formula  wff  is  assumed  true,  with  tlie  above  line  introduced  as  a  dependency. 


(Ilf)  (axiom  wff) 

T'Ih'  formula  wff  is  assumed  as  true,  with  no  visible  dependencies  introduced. 


(f\')  (defax  symbol  wff) 

The  formula  wff  is  assumed  as  true  and  regarded  as  the  definition  of  symbol. 


(1)  (define  symbol  wff  ^.optional  rewriter) 

1'h('  formula  wff  is  regarded  as  the  definition  of  symbol,  provided  that  the  truth  of  3  symbol. wff 
folh)Ws  using  the  rewriter.  The  formula  wff  must  contain  symbol. 


Srction  1 


(W)  (trw  term  koptional  rewriter) 

The  term  term  is  rewritten  using  standard  rewriting,  the  lines  labeled  previously  <as  simpinfo  and 
the  instructions  given  by  rewriter. 

Let  terml  be  the  result  of  such  rewriting.  If  term  is  a  term  then  the  fornuila  term  =  terml 
is  given  as  conclusion:  if  term  is  a  formula,  then  term  =  terml  is  derived,  unless  terml  is  inu'.  in 
which  case  term  is  derived,  or  false,  in  which  case  -iterm  is  derived. 


(VII)  (rw  koptional  line  rewriter) 

The  line  line  is  rewritten  using  standard  rewriting,  the  lines  labeled  previously  as  simpinfo  and 
the  instructions  given  by  rewriter. 


(VIII)  (derive  term  koptional  linerange  rewriter) 

The  formula  term  is  derived  from  the  formulas  in  linerange,  using  the  decision  procedure,  lines 
previously  labeled  as  simpinfo,  standard  rewriting  and  rewriting  according  to  the  instructions 
given  by  the  rewriter. 


{IX )  (cases  line  linerange) 

The  lines  in  linerange  must  contain  the  .same  formula,  say  A:  line  must  be  a  disjunction.  1  his 
command  corresponds  to  the  conclusion  of  a  '‘proof  by  cases'".  Suppose  we  are  able  to  d('rive  .4 
from  .4i  and  also  from  .lo  and  ...  and  also  from  Tn-  Suppose  we  prove  Ai  V  A}  V  ...  V  T„.  Then 
we  can  conclude  A  "independently  of"  .4i„..„4„. 


(.V)  (ci  linerange  koptional  line  rewriter) 

Let  the  lines  in  linerange  contain  the  formulas  .4i,...,.4„.  Let  the  formula  in  line  be  B.  1  hen 
the  result  of  this  command  is 

.4i  A  ...  A  4n  D  B. 

and  this  formula  will  not  "depend  on"  4i,...,.47i. 

(XI)  (ue  termslst  koptional  linedg  rewriter) 

This  corresponds  to  the  instantiation  of  a  universal  statement.  If  termslst  contains  the  pair  (x  t). 
t  is  of  the  same  type  and  .sort  as  x  and  linedg  is  of  the  form  Vx.A(x),  then  the  UE  command  will 
yield  A(t).  rewritten  according  to  rewriter  (and  the  lines  previously  labeled  as  simpinfo). 

Let  us  say  that  the  variable  .r  is  explicitly  universally  (juantified \i\  V,r..4(.r).  We  define  bfdow 
what  it  means  for  x  to  be  Jniplirilly  universally  (juantified  \i\  a  line.  The  ue  command  is  extendcMl 
to  the  ca.se  of  imi)liritly  quantified  variables  and  also  to  the  ca.se  of  multiple  substitution,  with 
termslst  being  a  list  of  pairs. 
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1.2.3.  Lines  and  dependencies. 

Each  line  has  associated  to  it  its  context  and  dependencies.  If  a  line  contains  a  formula,  then 
its  context  is  the  set  of  all  declarations  needed  to  make  sense  of  that  formula  and  parsing  of  the 
commands  leading  into  it. 

The  dependencies  are  established  using  rules  similar  to  Gentzen’s  Natural  Deduction  System. 

-  A  line  resulting  from  a  command  assume  depends  on  itself. 

-  A  line  resulting  from  a  command  define  or  trw  inherits  the  dependencies  of  the  lines  quoted 
by  the  rewriter  plus  the  lines  that  are  used  automatically,  having  previously  been  labeled  as 
simp info. 

-  .4  line  resulting  from  a  command  rw  inherits  the  dependencies  of  the  lines  quoted  in  line, 
rewriter  and  those  labeled  simpinfo. 

-  A  line  resulting  from  a  command  derive  inherits  the  dependencies  of  the  lines  quoted  in 
linerange,  rewriter  and  those  labeled  simpinfo. 

-  The  dependencies  of  the  line  lineo  resulting  from  a  command  cases  are  determined  as 
follows.  Suppose  the  formula  of  the  line  is  Ai  V  ...  V  An  and  suppose  linerange  is  linej  ... 
line„:  then  the  dependencies  of  lineo  are  the  union,  for  j  =  1,...,7!.  of  the  dependencies  of  the 
linej  that  are  different  from  Aj. 

-  The  dependencies  of  the  line  lineo  resulting  from  a  command  Cl  are  determined  as  follows. 
Let  all  the  formulas  in  linereinge  result  from  the  command  assume.  Then  lineo  inherits  the 
dependencies  of  line  and  of  rewriter,  except  for  those  inherited  from  linerange. 

-  A  line  resulting  from  a  command  ue  inherits  the  dependencies  of  linedg  and  rewriter. 

A  variable  occurring  in  a  line  is  implicitly  universally  quantified  if  it  does  not  occur  free  in  any 
of  the  dependencies  of  the  line  in  question.  This  condition  corresponds  to  the  restriction  on  the 
application  of  V  -introduction  in  Natural  Deduction  System.  As  noted  above,  implicitly  universally 
quantified  variables  behave  exactly  as  e.xphcitly  universally  quantified  variables;  in  particular,  the 
ue  command  applies  to  them.  We  cannot  allow  implicitly  universally  quantified  variables  in  lines 
coming  from  the  axiom  or  defax  command.  EKL  must  regard  an  axiom  as  creating  dependencies, 
although  it  is  instructed  to  be  silent  about  them.  Carefully  writing  all  the  universal  quantifiers  in 
the  axioms  saves  many  unpleasant  surprises  to  the  user.  The  variable  defined  by  define  or  defax 
is  not  implicitly  universally  quantified:  it  is  to  be  regarded  as  the  eigenvariable  of  an  3  -elimination 
in  Natural  Deduction. 

1.2.4.  Controlling  the  Rewriting  Process. 

Certain  substitutions  are  automatically  performed  by  EKL  in  rewriting.  For  instance: 

-  if  A  and  B  differ  only  in  the  name  of  the  bound  variables  and  the  corresponding  names  have 
the  same  sort,  then  A=B,AsB  and  A3B  are  simplified  to  TRUE 

-  P2TRUE.  P=TRUE,  PaTRUE,  TRUEDP.  FALSEVP,  -i-iP.  IF  TRUE  THEN  P  ELSE  Q  are  all  simplified 
to  P.  etc. 

Other  cases  of  standard  rewriting  are  listed  in  the  user's  Manual. 

Control  over  the  rewriting  process  is  one  of  the  most  important  features  of  EKL.  Tlie  commands 
to  .sj)ecify  rewriters  are  described  in  tlie  user's  Manual.  We  recall  only  the  ones  most  frequenlly 
used  in  this  paper. 
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!) 


The  command 

(use  linerange  kresf  options) 

tells  EKL  that  all  lines  in  linerange  are  to  be  applied  to  the  term  being  rewritten,  in  tlie  order 
given  by  linerange.  A  line  is  ‘applied’  to  a  term  as  follows. 

— EKL  identifies  terms  that  differ  only  for  the  names  of  bound  variables  of  the  same  sort.  Let 
A  be  the  term  being  rewritten:  if  the  forinula  of  the  line  is  A,  then  A  is  replaced  by  TRUE;  if  the 
formula  of  the  line  is  -iA  then  A  is  replaced  by  FALSE. 

— If  the  formula  of  the  line  is  a  conjunction,  both  conjuncts  are  successively  applied  to  the 
term  being  rewritten. 

— EKL  performs  ‘conditional  rewriting’:  if  the  formula  of  the  line  is  BDA,  then  the  term  A  is 
replaced  by  TRUE,  provided  that  the  decision  procedure  derives  B  from  the  current  context. 

— If  the  formula  of  the  line  is  universally  quantified,  then  instances  of  the  formula,  the  bound 
variables  being  replaced  by  suitable  terms,  are  applied  to  the  term. 

— Suppose  the  formula  of  the  line  is  an  ecpiality  of  the  form  a=b  and  let  the  term  being  rewritten 
be  a  formula  containg  a.  If  in  the  command  the  list  of  options  is  empty,  then  the  left  member  of 
the  equality  a  is  replaced  by  b  in  the  formula,  provided  that  b  is  ‘simpler'  than  a. 

The  notion  of  ‘simplicity’  can  be  roughly  described  as  follows.  The  expressions  of  the  language 
of  EKL  are  ordered  lexicographically:  we  say  that  f  is  ‘simpler'  than  g  and  a+b  is  ‘simpler’  than 
b+a.  Moreover  the  expression  f(x,f(x))  is  ‘simpler’  than  f(x,y)  since  it  contain  fewer  basic 
symbols.  The  usual  recursive  definitions  of  terms  from  basic  symbols  and  of  propositions  from 
atomic  propositions  give  a  natural  measure  of  complexity  of  the  expressions:  we  say  that  f  (x)  is 
‘simpler’  than  f  (x,f  (x)) 

A  list  of  options  is  available  to  make  substitutions  in  other  ways: 

(i)  direction:  reverse 

(ii)  direction:  simpler 

(iii)  mode:  exact 

(iv)  mode:  always 

(v)  ue:  ((varl  .  terml)  ...  (varj  .  termj)) 

By  (i),  we  ask  EKL  to  apply  equalities  in  the  reverse  of  the  normal  direction  (replace  in  the  term 
under  consideration  an  occurrence  of  b,  the  right  member  of  the  equality,  by  a,  the  left  member), 
or,  by  (ii),  in  whichever  direction  will  make  the  formula  simpler.  By  (iii),  we  ask  EKL  to  make  the 
substitution  no  matter  whether  the  result  will  be  simpler,  without  applying  the  line  again  to  the 
terms  produced  by  the  first  application,  or,  by  (iv),  applying  the  line  as  many  times  as  possible. 
The  option  (v)  allows  us  to  apply  the  UE  command  to  the  line  and  then  to  apply  the  modified  line 
to  the  term  being  rewritten. 


VVe  can  restrict  the  range  of  application  of  the  line  to  parts  of  the  term  being  rewritten  l)y 
using  the  command 


(part  subpart  krest  rewriter) 


Loosely  speaking,  we  can  regard  the  set  of  parts  of  an  expression  as  a  tree  and  denote  a  part  by 
any  label  of  the  path  that  leads  to  it.  For  instance,  the  parts  of 


Vx .p(a)A(q(a)Vr(x)) 
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can  be  denoted  as  follows; 

1 

p(a) A(q(a)vr(x)) 

1#2 

q(a)Vr(x) 

1#2#1  l#2#-2 

q(a)  r(x) 

Example; 

1.  (assume  IVx .p(a) A(q(a) Vr(x)) I ) 

2.  (assume  |a=b|) 

3.  (rw  1  (use  2)) 

;VX.P(A)A(C|(A)vR(X)) 

4.  (rw  1  (use  2  mode;  exact)) 

:VX.P(B)A(Q(B)VR(X)) 

5.  (rw  1  (part  1#2#1  (use  2  mode:  exact))) 

;VX.P(A)A(Q(B)VR(X)) 


1#1 

p(a) 


The  command 

(open  krest  symbols) 

is  equivalent  to 

(use  linerange  mode:  exact), 

where  linerange  consists  of  all  the  lines  involved  in  the  definition  of  the  symbols  in  the  list  symbols. 


We  may  want  to  call  the  decision  procedure  to  rewrite  a  subformula  of  a  line  to  TRUE.  This  is 
done  by  the  command 

(der  krest  linerange) 

Finally,  we  may  use  several  rewriters  within  a  single  command. 


1.2.5.  EKL  and  Natural  Deduction. 

\  derivation  in  Gentzen-style  Natural  Deduction  can  be  e.vtracted  from  any  EKL  proof  (although 
most  of  the  time  we  don't  .see  it). 

Let  us  disregard  the  fact  that  EKL  lines  may  result  from  declarations,  i.e.  that  EKL  i)roofs  con¬ 
tain  al.so  some  language  specifications  and  are,  in  this  respect,  similar  to  Martin-Lof-stylo  deriva¬ 
tions. 


Some  commands  of  EKL  corresponds  to  rules  of  Natural  Deduction  systems: 
assume  assume 

A  introduction 

A  elimination 

V  introduction 

cases  V  elimination 

ci  D  introduction 

D  elimination 

V  introduction 

ue  V  elimination 

3  introduction 

define  3  elimination 

The  missing  rules  are  replaced  by  the  derive  command,  (.’ommands  for  the  quantifiers  ijiclude 
higher  order  quantification. 

If  we  want  to  write  EKL  proofs  in  terms  of  Natural  Deduction,  we  must  also  include  some  form 
of  e([uationaJ  calculus  corresponding  to  the  rewriting  process.  EKL  does  not  display  all  the  steps  of 
substitutions  in  the  process  of  rewriting.  It  displays  only  the  result  of  such  process.  We  can  ask 
EKL  to  show  us  all  of  the  steps  executed  while  rewriting  by  typing  the  command 

(setq  rewritemessages  t) 

(examples  are  given  in  Sections  2.1  /2.6  and  2.9).  Each  step  of  rewriting  corresponds  to  an  a])pli- 
cation  of  a  rule  of  equality  in  equational  calculus.  The  rewriting  of  a  nontrivial  line  may  involve 
a  huge  nuiul)er  of  substitutions.  It  is  clear,  then,  why  we  do  not  want  always  to  see  the  natural 
deduction  derivation  corresponding  to  an  EKL  proof. 

More  generally,  to  simulate  the  flexibility  of  informal  reasoning  through  (mechanical  simiilalioii 
of)  formal  reasoning  is  an  important  aim  in  the  field  of  automatic  theorem  proving.  'V\\q  details  of 
the  formalization  of  informal  arguments  may  be  ignored  once  we  are  convinced  that  the  mechanical 
procedure  is  correct. 

Since  the  rewriting  process  applies  to  logical  simplification  as  well,  we  can  replace  applications 
of  natural  deduction  rules  with  rewriting.  In  other  words,  we  tend  to  apply  rules  of  substitution  and 
of  re})lacement.  perhaps  repeatedly  in  a  single  command,  instead  of  expanding  the  proof  according 
to  the  rules  of  natural  deduction.  This  makes  the  EKL  proofs  much  shorter.  We  shall  show  later 
some  useful  techniques  lo  help  the  rewriting  process  and  derive  lines  in  one  step. 
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1.2.6.  Remembering  Lines  in  EKL. 


Forgetting  is  no  mere  vis  inertiae  as  the  superficial  imagine:  it 
is  rather  an  active  and  in  the  strictest  sense  positive  facultg  of 
repression...  The  man  in  ivhom  this  apparatus  of  repression 
is  damaged  and  cea.ses  to  function  properly  may  be  compared 
...  with  a  dyspeptic  -  he  cannot  "have  done'  with  anything.  ^ 

EKL  is  capable  of  remembering  and  forgetting.  The  command 

(label  name  Szoptional  linerange) 

tags  the  lines  in  linerange  with  label  name.  Linerange  defaults  to  the  last  line  of  the  current 
proof. 

(unlabel  name  Szoptional  linerange) 

removes  the  label  name  from  the  tags  associated  to  each  line.  Linerange  defaults  to  the  last  line 
of  the  current  proof. 

A  state  in  EKL  consists  of  the  currently  active  proof,  the  currently  active  context,  the  currently 
active  linename  context  and  the  currently  active  rewritename  context. 

A  linename  context  is  a  list  of  symbolic  names  associated  to  lines.  These  associations  may  be 
set  by  the  LABEL  command. 

A  rewritename  context  is  a  list  of  symbolic  names  associated  to  rewriters.  These  associations 
may  be  set  by  the  REWRITENAME  command. 

The  label  simpinfo  has  special  meaning  to  the  rewriter.  The  lines  labeled  simp  info  are 
assumed  to  be  lines  that  are  always  used  in  rewriting  for  simplification  purposes  or  for  verifying- 
sorts. 

We  can  call  lines  not  only  by  name,  but  also  by  their  number.  The  command 

(use  foo#3) 

means:  use  the  third  line  of  the  proof  f  oo.  The  command 

(use  -3) 

means:  use  the  third  line  in  the  current  proof  before  the  one  being  written.  The  symbol  *  stands 
for  “1,  i.e.,  it  denotes  the  last  line. 

The  currently  active  context  is  the  cumulative  subtotal  of  all  the  context  manipulation  that 
has  happened  in  the  currently  active  proof. 

In  a  typical  command  several  lines  may  be  cited.  We  first  of  all  combine  the  contexts  of  the 
cited  lines.  If  an  incompatibility  turns  up,  the  command  is  aborted.  This  context  is  then  combined 
with  the  previous  active  context;  all  the  incompatible  declarations  from  the  previous  context  are 
thrown  out.  The  resulting  context  is  then  used  for  parsing  of  terms  etc.  in  the  command.  If  no 
context  lines  are  cited,  we  default  to  the  previous  context.  This  is  sufficient  most  of  the  time. 

It  follows  that  we  can  use  conflicting  declarations  in  different  parts  of  the  of  the  same  proof 
provided  that  we  do  not  try  to  refer  to  these  lines  within  the  same  command:  the  language  that  is 
used  is  ultimately  local  to  the  line  in  question. 

t  F. Nietzsche,  Genealogy  of  Morals.  Second  Essay,  in:  Kanfmann  (editor) Ba.s/>  Writings  of 
Nietz.sche,  pag.493”4. 
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1.3,  Rudiments  of  LISP. 


We  shall  use  lists  to  represent  finite  functions.  Let  us  quickly  recall  the  basic  notions  of  LISP. 
(The  following  may  also  be  regarded  as  a  commentary  to  the  file  LISPAX,  containing  the  Axioms 
of  LISP,  to  be  found  in  the  Appendix.) 

Given  a  set  A  of  atoms,  including  the  empty  list  NIL,  the  set  S  of  symbolic  expressions  (S- 
expressions),  is  the  set  built  from  the  atoms  using  the  pairing  operation 

(i)  Acs 

(ii)  if  X  and  y  are  S-expression  then  x  •  y  is  an  S-expression. 

In  other  words, 

S  -  A  +  S  X  S. 

The  unary  operations  car  and  cdr  are  the  first  and  the  second  projections,  defined  on  6  \  >1.  It  is 
convenient  for  our  purpose  to  define 

car  nil  =  nil  =  cdr  nil. 

The  set  C  of  lists  is  a  subset  of  the  set  S  of  S-expressions.  C  is  defined  inductively  by  the 
clauses 

(iii)  NIL  is  a  list 

(iv)  if  u  is  a  list  and  x  is  an  S-expression  then  x  •  u  is  a  list. 

As  usual,  we  abbreviate  (a^  •  (ao  •  •  (fln  •  NIL)...))  as  (ai  ^n)*  The  variables  xa,  ya  and  za 

always  range  over  S-expressions  (i.e.  are  of  sort  atom),  x,  y  and  z  range  over  S-expressions  (sort 
sexp)  and  u,  v,  w  range  over  lists  (sort  listp). 

These  inductive  definitions  suggest  principles  to  define  functions  by  recursion  on  the  definitions 
of  S  (j'ec'iirsion  on  S-exjrressions)  and  C  {recursion  on  lists).  Using  higher  order  logic  we  can 
formulate  the  principle  Listinductiondef  of  recursion  on  lists  as 

Vdf  nilcase  def. 

(3fun.(Vpars  x  u.fun(nil ,pars)=nilcase(pars) A 

fun(x.u,pars)=def (x,u, fun (u,df(x, pars) ) ,pars) ) ) 

Here  pars  is  a  list  of  n  parameters,  df  is  a  given  auxiliary  (n  +  i)-ary  function,  giving  a  list  of  n 
parameters  as  value,  nilcase  is  a  given  /i-ary  function  and  def  is  a  given  n  +  3-ary  function,  for 
each  n.  Actually  the  type  structure  of  EKL  plays  a  major  role  here,  since  it  can  be  u.sed  to  transform 
any  list  of  n  arguments  into  a  single  argument.  For  example,  fun  is  declared  to  have  type 

ground®ground*"»ground*. 

We  can  also  formulate  the  principle  of  Listindiiction  to  prove  facts  about  functions  defined  by 
recursion  on  C: 

Vphi .phi(nil) a(Vx  u.phi(u) Dphi(x.u) )3(Vu.phi(u) ) 

Here  phi  is  any  predicate  taking  lists  as  argument.  The  priniciples  of  recursioi\  and  induction  on 
S-expressions  are  similar. 

The  type  structure  of  the  language  of  EKL  is  a  limit  to  the  inductive  strength  of  the  sysUmi. 
In  the  situation  described  above 
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— pars  is  of  type  ground*. 

— df  of  type  (ground»ground*)-+ground*. 

— nilcase  of  type  ground*-*ground*, 
so  that  fun  will  be  of  type  (ground®ground*)->ground*.  too. 

Ihe  device  of  variable  types  is  a  way  to  overcome  such  limitation.  Consider  the  following  Hiqh 
Order  Definition 

Vbigfun  atoin_fun.3def ined.fun. 

Vx  y . (atom  x  3  defined_fun(x)=atom_fun(x))A 
(def ined_fun(x.y)= 

bigfun(x,y ,def ined_fun(x) ,def ined_fun(y) ) ) 


Mere 

— arb  is  a  variable  type  with  name  Tarbitrary, 

— bigfun  is  of  type  ground®ground«0arb«aarb-*®arb. 

— defined.fun  and  atom.fun  are  of  type  ground-»Qarb. 

In  this  way  we  allow  EKL  to  postpone  the  decision  about  the  type  of  the  function  defined.fun 
to  the  time  of  application  of  the  principle  to  define  a  particular  function  in  a  given  conte.xt:  then 
arb  can  be  specialized  to  an  object  of  ciny  type.  Therefore  we  have  a  primitive  recursive  schema 
for  definition  on  nil  higher  type  functionals. 


1.4.  Permutations  and  the  Pigeon  Hole  Principle. 


Let  A  be  a  finite  set  and  let  T  be  the  set  of  all  surjections  on  .1,  i.e.  the  set  of  all  functions 
mapping  .4  onto  itself.  The  following  fact  is  an  easy  consequence  of  the  Pigeon  Hole  Principle. 

Lemma.  Every  surjection  on  a  finite  set  is  nn  injection. 

The  proof  will  be  considered  in  section  below  .  .Assuming  the  Lemma,  it  is  not  hard  to  prove 
the  following  Theorem. 

Theorem.  (iF.o).  tchere  o  is  the  operation  of  composition  of  functions,  is  a  group. 

Proof.  It  is  easy  to  check  that  the  composition  of  two  surjections  on  .4  is  a  surjection  on  .4 
and  that  composition  of  functions  is  an  associative  operation.  The  identity  map  i  is  a  surjection 
and  is  the  two-sided  identity  with  respect  to  o.  Finally,  given  f  e  T.  the  inverse  map 

/  ^  :/(«)'—  «• 

lor  all  a  G  -4,  is  a  well  defined  function,  since  /  is  an  injection;  has  .4  as  domain,  since  /  is  a 
surjection  on  .4:  /“^  is  a  surjection  on  ,4.  since  the  domain  of  /  is  .4.  Clearly,  for  all  /  G  JF. 

/-io/=/  =  /o/-‘.  it 


t  We  use  ■  for  the  end  of  a  proof  (both  informal  and  mechanical)  and  Q  for  the  end  of  an 
example. 
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The  pigeon  hole  principle  is  usually  formulated  as  follows:  if  we  put  n  +  1  pigeons  in  n  holes, 
then  at  least  one  hole  gets  more  than  one  pigeon.  Equivalently, 

If  XLW  have  n  pigeons  and  n  holes  and  each  hole  contains  at  least  one  pigeon,  then  each  hole 
contains  exactly  one  pigeon. 

More  formally,  let  be  the  segment  of  N  bound  by  n,  i.e.  the  set  of  natural  numbers  less 
than  11. 

Theorem.  Let  f  be  a  function  on  natural  numbers,  f  :  N„  — ^  N  ,  such  that  for  all  m. 


(/■) 

f(m)  >  0 

and 

(ri) 

72  —  1 

Y  = 

772=0 

Then  for  all  m<i\, 

f(m)  =  1. 

Proof.  We  use  induction  on  n,  employing  the  following  facts  of  arithmetic:  for  all  k\mj}. 
[in)  m  >  11  A  k  >  1  D  7n  +  A:  >  n  +  1, 

for  all  A:,/??,/?, 

( iv)  in  >  n  A  k  >  1  A  m  +  k  =  n  +  1  D  m  -  n  A  k  =  1. 

We  use  (/)  and  (/'//)  to  show,  by  induction  on  /i,  that  for  all  n. 

n~l 

(v) 

m=0 

Now.  in  tlie  induction  step,  we  assume 

n 

Y  /(m)  =  7). +  1, 

m=0 

and  use  (ir)  and  (  i')  to  prove 

n-l 

(vi)  ^ /(m)  =  A /(7?.)  =  1; 

771  =  0 

then  we  apply  the  induction  hypothesis.  ■ 


Now  wo  can  prove 
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Lemma.  Every  surjection  on  a  finite  set  is  ati  injection. 

Proof.  Let  |A|  =  n  be  the  cardinality  of  A  and  let  Um  be  the  m-th  element,  for  some 
ennmeration  without  repetition  of  .4.  For  any  sequence  of  pairwise  disjoint  sets  Bi, 

Ei^‘1  =  |U^‘i- 

i<n  i<n 


Let  f  E  E  and  for  each  in  <  n,  let  Am  =  f  the  inverse  image  of  {n,n}.  The  4,’s  are 

pairwise  disjoint  and  their  union  is  A.  Therefore,  by  {vii), 

(vUi)  E  =  |4|  =  n. 

771  <n 

Moreover,  since  /  is  surjective,  for  all  Am  and  all  m  <  n, 

(iX*)  \Am  1^0. 

The  Pigeon  Hole  Principle  says  that,  if  (viii)  and  (zx),  then  for  all  m  <  n. 

{x)  =  1. 

We  conclude,  for  all  i,  j  <  n, 

(li  Clj  D  ^ 

by  applying  (x)  to  ■ 


1.5.  The  Representation  of  Permutations  in  LISP. 

We  turn  now  to  the  representation  of  finite  functions  in  terms  of  of  LISP  structures  and  the 
operations  on  finite  functions  as  LISP  programs.  We  will  consider  the  representation  of  tlie  above 
mathematical  facts  as  properties  of  LISP  programs  and  formally  state  the  facts  to  be  proved  by 
EKL. 

1.5.1.  A  Remark  on  Sets  and  Lists. 

A  set,  according  to  Cantor’s  explanation,  is  an  aggregate  of  objects,  regarded  as  an  entity 
that  can  itself  be  an  element  of  other  sets.  In  Set  Theory  sets  may  be  constructed  out  of  a  given 
stock  of  basic  objects,  the  urelements,  but  abstraction  is  made  from  the  particular  features  of  the 
urelements  as  well  as  from  the  order  in  which  the  urelements  may  be  given  to  us.  (In  fact,  in 
mainstream  Set  Theory  urelements  are  ignored  and  the  entire  universe  of  sets  is  generated  out  of 
nothing,  from  the  empty  set.) 

In  formalizing  Set  Theory  within,  say,  first  order  logic,  a  distinction  is  made  between  sets  and 
cla.sses  in  order  to  avoid  paradoxes:  unlike  sets,  classes  cannot  be  regarded  as  elements  of  other 
sets  or  classes  and  axioms  (say,  Zermelo-Frankel  axioms)  determine  if  a  property,  expressed  by  a 
predicate,  actually  denotes  a  set  or  only  a  class. 
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If  the  formal  language  is  a.  typed  language,  as  the  language  of  EKL,  we  may  disregard  the 
distinction  between  sets  and  classes,  for  the  strict  restriction  imposed  by  the  type  structure  already 
guarantee  from  paradoxes.  Thus  instead  of 


{x  :  P(.r)} 


we  may  write  (using  the  lambda  notation) 


Xx.P{x) 

or  simply 

P 

to  denote  the  set  of  objects  having  the  property  P.  The  e  relation  can  then  be  defined  as 
Definition.  {Epsilon) 

Vav  xv.xv€avsav(xv) 

We  will  use  the  epsilon  notation  applied  only  to  the  relation  between  urelements  and  sets  of  urele- 
ments. 

The  set 

{.r} 

can  be  represented  as 

y\y.y  =  X, 

This  is  our  notation  for  the  singleton  set: 

Definition.  > 

Vxv.inkset(xv)  =  (Ayv.yv=xv)  . 

Given  an  aggregate,  if  we  abstract  only  from  the  particular  features  of  the  elements  we  have 
an  ordered  set;  if  the  set  is  finite  we  speak  of  a  list.  In  the  LISP  language  the  term  ‘list’  has  a 
technical  meaning,  and  membership  in  a  list  is  represented  by  the  recursive  predicate  member. 

Definition.  {Member) 

Vx  y  u.  -imember (x ,nil) Amember (x ,y . u)  =  (x=yvmember (x ,u) ) 

Conceptually,  the  distinction  between  a  list  u  and  the  set 

{x  :  X  is  a  member  of  u}  .  (*) 

amounts  to  the  distinction  between  a  finite  ordered  set  and  a  set.  Our  notation  for  the  set  (*)  is 
Definition.  ( Mklset) 

Vu .  mklset  (u)=Ax .  member  (x  ,u) 

Tlie  functional  mklset  maps  a  lists  into  the  set  of  its  members. 


18 


ABOI'T  Pr.RMUTATIONS  IN  LiSP  AND  EKL 


1.5.2.  Permutations  as  Association  Lists. 

Let  /  :  .4  —  5  be  any  finite  function,  i.e.  a  function  defined  on  a  finite  set  4.  Its  graph,  i.e. 
the  set  {(«,/(«))  :  a  €  4},  can  be  written  as 

a  I  a  2  a  a 

/(«l)/(«2)  ■■■/(«„) 

A  finite  function  can  be  represented  by  an  association  list,  i.e.  by  writing  the  graph  of  the 
function  as  a  list.  For  instance  the  above  function  /  can  be  represented  by  the  list  alisty 

(  («i  *  («2  •  /(«2))  •••  («n  * /(«u))  )• 

The  notation  (★)  is  slightly  ambiguous:  the  graph  of  a  function  is  a  set  of  pairs,  but  (*) 
seems  rather  to  denote  a  list  of  pairs.  Strictly  speaking,  the  graph  of  /  is  correctly  represented  by 
mklset(alist^),  not  by  alist/.  It  is  more  informative  to  represent  /  by  an  equivalence  class  of 
association  lists  rather  than  by  a  predicate.  We  give  an  appropriate  equivalence  relation  below. 

Using  alist/,  we  can  represent  the  operation  ‘apply  /  to  an  element  Uk  in  the  domain  of  /' 
as  follows:  take  the  cdr  of  the  S-expression  in  alist/  whose  car  is  dk-  Moreover,  if  /  and  g  are 
finite  functions  such  that  the  composition  </  o  /  of  /  and  g  is  defined  and  alist j  and  alist^  are 
the  association  lists  representing  /  and  </,  then  we  can  find  a  list  alist^o/ 

(  («i  •  Cl)  (a2  •  c-2)  ...  (a„  •  Cn)  ) 

representing  g  o  f  as  follows:  “given  Uk,  in  order  to  find  Ck  go  through  alist/  searching  for  the 
S-expression.  whose  car  is  cik  and  take  its  cdr,  say  6^.;  next  go  through  alist^  searching  for  the 
S-expression,  whose  car  is  bk'.  and  take  its  cdr  as  Ck" . 

The  identity  and  inverse  operations  have  an  easy  representation  using  association  lists.  The 
following  list  alist, d  represents  the  identity  function  on  {ai,...,a„}: 

{  («i  *  «i)  (<i2  *  (i-i)  ■■■  {(In  •  «„)  ). 

The  ‘inverse’  of  alist/  is  given  by  the  list  alist/-i: 

(  (/(ctl)  •  a\)  {/(ao)  •  «2)  -•  {/{(In)  •  (In)  ) 

The  result  of  “composing’  alist/-]  with  alist/  is  alist,,/.  The  result  of ‘composing’  alist/  with 
alist/-]  is  the  following  fist  alist, ji: 

(  (/(«i)  •  f{((i))  {/{a.)  •  /(a2))  ...  {/{(in)  •  /(an))  ) 

If  /  is  a  bijection  (and  alist/rf,  alist/rtfi  “don’t  contain  garbage’’)  then  both  alist, j  and  alist,,/] 
represent  the  identity  function  on  the  same  set. 

The  official  EKL  definition  of  alist  is  given  by  the  following  a.xiom.  Here  alist  is  a  varial>le 
of  type  ground  and  sort  alistp. 

Definition.  {Alistdef) 

Vxa  y  alist. alistp  nil  A  alistp  (xa.y). alist 
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The  following  is  the  definition  of  the  operation  of  application  using  association  lists. 
Definition.  ( .1  pixilist) 

Valist  y .appalist(y,alist)=cdr  assoc(y ,alist) 

where  assoc  has  been  defiaecl  in  the  LISP  library  file  as  follows: 

Vx  xa  y  alist .assoc(x,nil)=nilA 

assoc(x, (xa.y) .alist)=  (if  x=xa 

then  xa.y 

else  assoc(x, alist)) 

Given  an  association  list  alist,  let  doin(alist)  be  the  list  containing  the  first  element  of  each 
pair  and  range  (alist)  the  list  of  all  the  second  elements. 

Definition.  ( Doni) 

Vxa  y  alist. dom  nil=nilA 

dom((xa.y) .alist)=xa.dom  alist 

Definition.  ( Range) 

Vxa  y  alist. range  nil=nilA 

range( (xa.y) .alist) =y. range  alist 

The  recursive  predicate  uniqueness  is  true  of  a  list  u  iff  every  element  of  u  occurs  only  once. 
Definition.  (  Uniqueness) 

Vu  X. uniqueness  nil  A 

(uniqueness (x .u)snmember (x ,u)Auniqueness(u) ) 

The  fact  that  (the  equivalence  class  of)  alist  represents  a  function  is  given  by  the  property 
of  uniqueness  o{  dom(3ilist): 

Definition.  ( Functp) 

Valist .functp(alist)suniqueness  dom(alist) 

and  the  fact  that  (the  equivalence  class  of)  alist  represents  an  injection  can  be  characterized  as 
follows: 

Definition.  ( Injectp) 

Valist . injectp(alist)=functp(alist)Auniqueness  range(alist) 

Finally,  (the  equivalence  class  of)  alist  represents  a  permutation  if  and  only  if  doin(alist) 
and  range  (alist)  are  the  same  as  sets  and  have  the  same  length  as  lists.  The  second  property  is 
of  course  obviously  true  for  any  alist. 

Definition.  ( Permutp) 

Valist . permutp ( alist )sfunctp (alist) A 

mklset(dom(  alist )  )=mklset  (range  (alist) ) 
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We  don’t  need  to  include  in  our  definition  of  permutation  the  fact  that  (the  eriuivalence  class 
of)  alist  represents  an  injection,  namely  injectp(alist).  The  fact  that  the  property  injectp 
follows  from  our  definition  permutp  corresponds  to  the  Lemma  in  Section  1.4. 

Composition  of  functions  is  then  represented  by  the  following  LISP  function  m  (notice  the  order 
—  alist/  00  alist^  is  the  function  g  o  /): 

Definition.  ( Compalist) 

Valistl  alist2  xa  y.nil  oo  alist2=nilA 

((xa.y)  .alistl)  co  alist2= 

(xa.appalist(y,alist2)) . (alistl  co  alist2) 

Identity  is  represented  by  the  following  predicate: 

Definition.  (Idalistp) 

Valist  xa  y.idalistp(nil)A 

(idalistp((xa.y) . alist) =xa=yAidalistp  alist) 

Inversion  is  represented  by  the  LISP  function: 

Definition.  ( Invalist) 

Valist  xa  y. invalist  nil=nilA 

invalist((xa.y) .alist)=(y.xa) .invalist  alistl) 

An  unpleasant  feature  of  this  approach  is  that  any  association  list  consisting  e.\actly  of  tlie 
S-expressions  (a^.  •  f(gk)),  for  all  k,  is  also  a  representation  of  /,  independently  of  the  order  in 
which  they  occur.  The^function  /  is  not  represented  by  a  single  association  list,  but  by  the  class 
of  all  association  lists  that  have  the  same  members  and  give  the  same  result  with  respect  to  the 
operation  of  “apphcation”. 

The  ecjuivalence  relation  is  represented  by  the  following  predicate: 

Definition.  ( Samemap) 

Valist  alistl .samemapCalist .alistl) = 

mklset  dom(alist)*mklset  dom(alistl)A 
(Vy.yGmklset  dom(alist)D 

appalist(y , alist) ®appalist(y .alistl)) 

The  Theorem  to  be  proved  consists  of  the  following  statements: 

Theorem  1.  (i)  [Permutp  Compalist) 

VALIST  ALIST1.PERMUTP(ALIST)aPERMUTP(ALIST1)a 

MKLSET(DOM(ALIST))=MKLSET(DOM(ALIST1))3 
PERMUTP  (ALIST  oo  ALISTl) 

Theorem  1.  (ii)  [Compalist  Associativity) 

VALIST  ALISTl  ALIST2.MKLSET(RANGE(ALIST))CMKLSET(D0M(ALIST1))D 

ALIST  CD  (ALISTl  oo  ALIST2)  =  (ALIST  oo  ALISTl)  oo  ALIST2 
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Theorem  2.  (i)  {Idalistp  Permutp) 

VALIST . FUNCTP ( ALIST) aIDALISTP (ALIST) DPERMUTP ( ALIST) 

Theorem  2.  (ii)  [Right  Idalistp) 

VALISTl. IDALISTP (ALISTl)D 

(VALIST. MKLSET(RANGE(ALIST))CMKLSET(D0M(ALIST1))3ALIST  00  ALIST1=ALIST) 
Theorem  2.  (iii)  [Left  Idalistp) 

VALISTID  ALIST. IDALISTP (ALISTID) A 

MKLSET(DOM(ALISTID))*MKLSET(DOM(ALIST))D 
SAMEMAP (ALISTID  co  ALIST, ALIST) 

Theorem  3.  (i)  [Permutp  Invalist) 

VALIST . PERMUTP (ALIST) DPERMUTP (INVALIST (ALIST) ) 

Theorem  3.  (ii)  [Right  Invalist) 

VALIST . ALLP(AX . ATOM  X ,RANGE(ALIST) ) aINJECTP( ALIST) 0 
IDALISTP (ALIST  oo  INVALIST(ALIST)) 

Theorem  3.  (iii)  [Left  Invalist) 

VALIST. ALLP(AX. ATOM  X,RANGE(ALIST))aINJECTP(ALIST)D 
IDALISTP (INVALIST(ALIST)  m  ALIST) 


1.5.3.  Permutations  as  Lists  of  Numbers. 

Let  N„  be  the  segment  of  N  up  to  n,  i.e.  the  set  {m  :  m  G  N  .m  <  n}.  If  .4  is  the  set  N„ 
and  /  is  a  function  with  domain  A  then  /  is  called  a.  (finite)  sequence. 

We  can  represent  arbitrary  finite  functions  using  finite  sequences.  Given  f  •  A  —  IS  and 
suitable  bijections  i  :  N„  ^  .4,  j  :  Nm  —  B,  where  n  is  the  cardinality  of  .4  and  lu  is  the 
cardinality  of  the  range  of  /,  there  is  a  finite  function  g  :  Nn  ^  Nm  such  that  the  diagram 


N„ - -N 


commutes.  Thus,  we  need  only  consider  functions  from  segments  of  N  to  segments  of  N. 

.41though  lists  and  finite  sequences  are  essentially  the  same  kind  of  mathematical  object,  a 
function  is  usually  understood  as  a  niethod  to  associate  an  element  of  the  range  to  each  element  of 
the  domain  in  a  unique  way. 
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When  finite  lunetions  are  represented  by  lists,  we  specify  a  inetliod  as  follows.  Given  the  (iiiile 
function  h  :  N,,  —  N.  "list  the  range"  of  h  in  the  order  given  by  the  domain,  i.e.  construct  th<'  list 

v/< 

(/i(0)A(l)... /i(n-l)  ). 

Thus  /;  associates  to  each  number  in  N„  the  nth  element  of  v/,.  (To  "list  the  domain"  in  the  order 
given  by  the  range  is  another  possibility.) 

The  LISP  function  nth  is  defined  as  follows: 

Definition.  {Nth) 

Vx  u  n.nthCnil ,n)=nilAnth(u,0)=car  uAnth(x.u,n*)=nth(u,n) 

The  equation 

nthCv/i,  k)  =  h(k) 

e.xplains  how  the  function  nth  represents  the  operation  of  applying  a  function  to  a  number. 

If  V/,  repre-sents  /?.  and  u  is  any  list  of  numbers,  then  v/j  can  be  ’’applied"  to  u,  by  applying  v;, 
successively  to  all  the  members  of  u.  The  operation  ‘‘applying  v^"  to  u  is  defined  if  all  members  of 
u  are  numbers  less  than  the  length  of  v/,. 

This  motivates  our  official  definition  of  application,  using  lists  of  numbers: 

Definition.  (Appl) 

Vu  i.appl(u,i)=nth(u,i) 

The  following  predicate  specifies  the  condition  for  v  to  be  defined  as  an  application  on  u  as 
the  domain: 

Vu  v.def_appl(v,u)sallp(Ax.natnuin(x)Ax<length(v) ,u) 

Here  allp  is  a  recursive  predicate,  checking  whether  all  members  of  a  list  have  a  certain 
property: 


Vphi  X  u.allp(phi,nil)A 

allp(phi,x.u)=if  phi(x)  then  allp(phi,u)  else  false 

The  fact  that  a  list  u  represents  an  injection  is  naturally  represented  by  the  predicate  inj:  if 
every  element  of  u  occurs  just  once  in  u,  then  two  applications  of  u  give  the  same  value  only  for 
the  same  argument. 

Definition.  ( Inj) 

Vu. inj (u)=Vn  m.n<length(u)Am<length(u)Anth(u,n)=nth(u,ra)3n=m 

On  the  other  hand,  the  fact  that  u  represents  a  surjection  on  is  given  by  the  property 

onto,  namely  the  fact  that  all  members  of  u  are  numbers  in  and.  conver-sely.  all  numbers 

Dt  ^iength(u)  members  of  u.  In  such  case  every  number  in  will  be  the  result  of  an 

ap[)lication  of  u  to  some  argument. 


Definition.  [Onto) 


Vu. into(u)=(Vn.n<length  uDnatnxim  nth(u,n) Anth(u,n)<length  u) 

Vu . onto(u)=(into(u) A(Vn.n<length  uDmember (n,u) ) ) 

Definition.  [Perm) 

Vu .penn(u)=onto(u) 

As  above,  we  don't  need  to  include  in  our  definition  of  permutation  the  fact  that  /  is  1-1  :  the 
proof  that  perm(u)  implies  inj(u)  will  be  described  in  Section  1.5.4. 

(Composition  of  functions  can  be  represented  by  the  following  LISP  function: 

Definition.  ( Compose) 

Vu  V  X. (u®nil)=nilA(u»(x.v))=(nth(u,x)) . (u»v) 

Ecpiivalently,  the  following  predicate  comp  gives  the  condition  for  an  application  of  u  to  be  the  same 
as  an  application  of  w  followed  by  an  application  of  v. 

Definition.  ( Comp) 

Vu  V  w. corap (u,v,w)s 

length  u=length  wA(Vn.n<length  uDnth(u,n)=nth(v,nth(w,n))) 

The  representation  of  the  identity  function  and  the  inversion  of  permutations  are  discussed  in 
Section  6.1.  It  is  clear  that  the  predicate  id  gives  the  condition  for  the  result  of  an  application  of 
u  to  be  the  same  as  its  argument: 

Definition.  [Id) 

Vu. id(u)5(Vn.n<length  u3nth(u,n)=n) 

We  will  choose  the  following  function  to  construct  the  list  representing  the  identity  function: 
Definition.  ( Ident) 

Vx  u  n  i. ident l(i,0)=5niiAidentl(i,nO=i. ident  1  (i *  ,n) 

Vn. ident (n)=identl (0,n) 

Consider  the  function  Au  x.f stposition(u,x)  that  returns  a  number  n,  with  0  <  n  < 
length(u),  corresponding  to  the  position  of  the  first  occurrence  of  x  in  u,  if  x  occurs  in  u,  and  NIL 
otherwise. 


Vx  u  y .fstpositionCnil ,y)=nilA 

f stposition(x .u,y)=if  nmemberCy ,x .u) 

then  nil 
else  if  x=y 

then  0 

else  addl(fstposition(u,y)) 

This  function  is  our  candidate  for  the  inverse  operation  of  nth.  If  x  occurs  in  u,  then 
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nth(u ,f stposition(u,x) )=x . 

By  applying  this  for  x  =  nth(u,7i)  and  n  <  length(u),  we  get 
fstposition(u,nth(u,n))=m, 

with  m  <  length(u).  Here  m  need  not  be  equal  to  n.  However,  this  will  certainly  be  the  case  if  x 
occurs  only  once  in  u,  or  in  other  words  if  u  has  the  Injectivity  property  inj  (u) . 

Notice  the  asymmetry  here:  the  function  fstposition  is  the  right  inverse  of  An.nth(u,n) 
for  any  u/j,  i.e.  for  any  function  h  represented  by  U/i.  However  fstposition  is  the  left  inverse  of 
An.nth(u,n)  only  if  Uh  has  the  injectivity  property,  i.e.  if  the  function  h  represented  by  u/,  is  a 
permutation. 

Using  this  property  of  fstposition,  we  can  give  the  condition  for  u  to  represent  the  inverse 
function  of  the  permutation  v: 

Definition.  {Inv) 

Vu  v.inv(u,v)5(Vn.n<length  uDnth(u,n)=fstposition(v,n) ) 

and,  cis  argued  below,  the  following  is  a  convenient  way  of  constructing  such  inverse: 

Definition.  (Inverse) 

Vu  i  n. inversl(u,i,0)=nilAinversl(nil,i,n)=nilA 
inversl(u,i ,n’ )=if  null(f stpositionCu, i) ) 

then  nil 

else  f stpositionCu, i) . invers 1 (u , i ’ ,n) 

Vu . inverse (u) =invers 1 (u , 0 , length (u) ) 

Using  predicates,  the  results  to  be  proved  are: 

Theorem  1.  (i)  (Composition) 

VU  V  W.PERM(V)aPERM(W)aLENGTH  V=LENGTH  WaCOMP(U,V,W)DPERM(U) 

Theorem  1.  {ii)(  Uniqueness) 

VU  U1  V  W.C0MP(U,V.W)aC0MP(U1,V,W)DU=U1 

Theorem  1.  ('m)( Associativity) 

VU  U1  V  VI  W1  W2  W3. 

INT0(W3)aLENGTH  W2=LENGTH  W3A 

COMP(V,W1,W2)aCOMP(U,V,W3)aCOMP(V1,W2,W3)aCOMP(U1.W1,V1)3U=U1 
Theorem  2.  (i)(Identity) 


VU.ID(U)DPERM(U) 

VU  V  W.ID(U)aCOMP(V,W,U)aLENGTH  W=LENGTH  UDV=W 
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Theorem  2.  (n)(  Right  Identity) 

VU  V  W.ID(U)aPERM(W)aLENGTH  W=LENGTH  UaCOMP(V,W,U)DW=V 
Theorem  2.  (iii)(Z,e/V  Identity) 

VU  V  W.ID(U)aPERM(W)aLENGTH  W=LENGTH  UaCOMP(V.U,W)DW=V 
Theorem  3.  (\)(Inverse) 

VU  V.PERM(U)aINV(V,U)aLENGTH  V=LENGTH  UDPERM(V) 

Theorem  3.  {ii){Right  Inverse) 

VU  V  W.PERM(W)aINV(U,W)aCOMP(V,W,U)aLENGTH  U=LENGTH  WOID(V) 
Theorem  3.  {m){Left  Inverse) 

VU  V  W.PERM(W)AlNV(U,W)ACOMP(V,U,W)ALENGTH  W=LENGTH  UDID(V) 

Using  functions,  the  results  can  be  stated  as  follows: 

Theorem  1.  (i)  (Perm  Compose) 

VU  V.PERM  U  A  PERM  V  A  LENGTH  U  =  LENGTH  V  D  PERM(U®V) 

Theorem  1.  (ii)  (Associathnty  of  Composition) 

VU  V  W.PERM(V)aPERM(U)aLENGTH  V=LENGTH  UaLENGTH  W=LENGTH  UD 
(W®V)«U=W®(V»U) 

Theorem  2.  (i){Perm  Ident) 

VN.PERM(IDENT(N)) 

Theorem  2.  (i\)(Right  Identity) 

VU.U®IDENT (LENGTH  U)=U 
Theorem  2.  (i\i){Left  Identity) 

VU.INT0(U)DIDENT(LENGTH  U)®U=U 
Theorem  3.  (i)(Perm  Inverse) 

VU . PERM (U) DPERM (INVERSE (U) ) 

Theorem  3.  (\\)(Right  Inverse) 

VU.PERM(U)DU®INVERSE(U)=IDENT(LENGTH(U)) 

Theorem  3.  (\n)( Left  Inverse) 

VU. PERM (U) 3 INVERSE  U®U=IDENT(LENGTH  U) 
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1.5.4.  Application  of  the  Pigeon  Hole  Principle  to  Permutations. 

We  have  two  representations  of  finite  functions:  thus  we  will  have  prove  two  facts  representing 
the  theorem  that  every  finite  surjection  is  an  injection.  In  the  repre.sentation  by  alists  the  fact  is: 
Theorem  (Pernnitp  Injectp) 

VALIST.PERMUTP(ALIST)DINJECTP(ALIST) 

1‘nder  the  assumption  permutp(alist),  we  need  to  show  uniqueness  range(alist). 

In  the  representation  by  lists  of  numbers  we  show: 

Theorem  ( Perm  Injectivity)  VU.PERM(U)3INJ(U) 

As  explained  above,  uniqueness  and  injectivity  are  equivalent  predicates,  asserting  that  every 
element  of  a  list  occurs  just  once.  Although  the  theorems  in  question  can  be  formulated  in  terms 
of  the  definition  of  permutation  and  of  the  predicates  above,  we  need  more  information  when  we 
try  to  prove  them. 

The  argument  for  theorem  Permvtp  Injectp  can  be  summarized  as  follows.  Since  by  definition 
dom(alist)  has  the  uniqueness  property,  there  are  n  different  kinds  of  objects  (n  ^holes’)  in 
dom(alist)  and  also  in  range(alist),  since  dom(alist)  and  range(alist)  have  objects  of  the 
same  kinds  (i.e.,  each  'hole'  has  at  least  one  object  ('pigeon')  of  range(alist)).  The  number  of 
(distinct)  objects  in  range  alist  ('pigeons')  is  at  most  the  length  of  range(alist)  and  at  least 
the  number  of  different  kinds  of  objects,  therefore  it  is  exactly  n.  Therefore  each  kind  of  object 
occurs  just  once  in  range(alist)  and  this  implies  that  range  alist  has  the  uniqueness  property. 

Despite  the  apparent  triviality  of  this  informal  argument,  some  work  is  needed  to  formalize  it. 
To  speak  of  'kinds’  of  objects  is  to  speak  of  sets.  We  need  a  function  counting  the  multiplicity  of 
elements  of  u  belonging  to  the  set  a: 

Definition  ( Multiplicity): 

Vx  u  a.mult (nil ,a)=0A 

mult (x .u,a)=if  a(x)  then  inult(u,a)^  else  mult(u,a) 

Next  we  must  show  that  the  list  dom(alist),  considered  as  a  set,  can  be  partitioned  into 
disjoint  sets,  i.e.  the  sets 

=  {x:  x=nth(dom  alist,/?)} 

for  all  //.,  n  <  length(dom(alist)). 

Therefore  we  need  a  recursive  predicate  to  decide  whether  the  sets  of  a  sequence  are  pairwise 
disjoint: 

Definition  (Disjoint): 

Vn  setseq. 

disjoint(setseq,0) A 

dis  joint(setseq,nO  =  (disjoint  (setseq,  n)  A 

disj ^pair(un (setseq, n) ,setseq(n))) 


whore  disj.pair  is  defined  as 


Va  b .disj.pair(a,b)=emptyp(anb) 


To  count  the  distinct  objects  in  range(alist)  we  need  the  notions  of  finite  union  and  finite 

sum: 

Definition  (Finite  Uniony. 

Vn  setseq.un(setseq,0)=emptysetA 

un(setseq,n’ )=un(setseq,n)usetseq(n) 


Definition  (Finite  Sum): 

Vn  niiinseq.sum(niimseq,0)=OA 

suin(niiinseq,n’  )=s\im(nuinseq,n)+numseq(n) 

and,  moreover,  the  following 

Lemma  (Malt  of  Un  is  Siun  Malt) 

VSETSEQ  U  N.DISJOINT(SETSEQ,N)D 

MULT(U,UN(SETSEQ,N))=SUM(AX1.MULT(U,SETSEQ(X1)) ,N) 


The  argument  for  Theorem  Penn  Inj  is  similar,  but  simpler.  As  before  we  prove  the  rather 
obvious  fact  that  can  be  partitioned  into  the  disjoint  sets 

{x  :  X  =  rn} 

for  each  in  <  length(u).  We  need  to  show  that  for  each  in  <  length(u)  the  multiplicity  in  //  of 
the  set  {x:  x  =  in},  is  exactly  1;  then  the  injectivity  of  u  follows.  The  pigeon-hole  principle  is  used 
to  prove  this  fact. 

The  pigeon-hole  principle  as  such  is  an  easy  matter  also  for  EKL.  We  use  simple  numeric 
induction  to  prove  that  for  any  function  /  :  N„  N  if  the  values  of  /  are  at  least  1  and  the  sum 
of  n  values  is  n  then  each  value  is  exactly  1.  In  both  applications  the  function  in  question  is 

Ain.inult(v,a(ni)) 

In  the  case  of  association  lists,  v  is  range (alist);  in  the  other  case  it  is  the  given  list  u.  In  the 
case  of  association  lists,  a(ni)  is  the  set  {x:  x=nth(doin  alist, m)};  in  the  case  of  numeric  lists  we 
can  take  the  set  {x  :  x  =  m}  for  a(m)  and  this  is  the  reason  why  in  this  case  proofs  are  simpler. 

1.6.  Outline  of  the  Paper. 

All  the  proofs  are  given  in  the  Appendix.  The  organization  of  proofs  in  files  and  the  dependence 
of  the  files  are  described  at  the  beginning  of  the  Appendix. 

Part  I,  i.e.  Sections  2  and  3  can  be  regarded  as  an  introductory  guide  to  automatic  deduction 
of  facts  about  LISP,  through. experiments  and  examples. 

Section  2  is  devoted  to  the  definition  of  the  LISP  functions  nth,  nthedr.  fstposition  and 
mult  and  to  the  proof  of  basic  facts  about  them.  It  also  contains  facts  of  set  theory  and  arithmetic. 
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Some  useful  techniques  to  replace  “deriving”  by  “rewriting”  through  tautologies  of  second  order 
propositional  logic  are  explained  and  illustrated  with  an  example. 

We  prove,  among  other  things,  the  following  facts  connecting  member  and  nth... 

Lemma  2.1.  (Nth  Member) 

VU  N.N<LENGTH  UDMEMBER(NTH(U,N) ,U) 

Lemma  2.2.  (Member  Nth) 

VU  Y.MEMBER(Y,U)0(aN.N<LENGTH  UaNTH(U,N)=Y) 

...and  the  following  properties  of  nthcdr: 

Lemma  2.3.  (Nthcdr  Car  Cdr) 

VU  N.N<LENGTH  UDNTHCDR(U,N)=NTH(U,N) .NTHCDR(U,N’ ) 

Lemma  2.4.  (Nth  in  Nthcdr) 

VU  N  M.N<MAM<LENGTH  U3MEMBER(NTH(U,M) ,NTHCDR(U,N)) 

Facts  about  nth  and  f  stposition: 

Lemma  2.5.  (Nth  Fstposition) 

VU  N . MEMBERCN , U) DNTH (U , FSTPOSITIONfU , N) ) =N 
Lemma  2.6.  (Fstposition  Nth) 

VU  N. UNIQUENESS (U)aN<LENGTH  UDFSTP0SITI0N(U,NTH(U,N) )=N 

The  set  of  elements  of  a  list  is  the  finite  union  of  the  sets  obtained  using  nth: 

Lemma  2.7.  (Mklset  Un) 

VU .  UN ( AM . HKSET ( NTH (U , M) ) , LENGTH (U) ) = ( AX . (MKLSET (U) ) ( X ) ) 

Moreover  we  show  the  following  facts  concerning  the  function  mult: 

Lemma  2.8.  (Length  Mult) 

VU  A.MULT(U,A)aENGTH  U 

Lemma  2.9.  (Member  Midi) 

VU  Y  A.MEMBER(Y,U)aA(Y)D1<HULT(U,A) 

Lemma  2.10.  (Mult  Nthcdr) 

VN  A  U.N<LENGTH  U3MULT(NTHCDR(U,N) ,A)<MULT(U,A) 

Lemma  2.11.  (Mult  Inf) 

VV .  (VK . K<LENGTH  VDMULT (V ,MKSET(NTH(V . K) ) )=1 ) DIN J (V) 

The  following  facts  about  finite  sums  and  unions  are  also  needed: 

Lemma  2.12.  (Multsum) 

VU.DISJ.PAIR(A,B)DMULT(U.AuB)=MULT(U,A)+MULT(U,B) 

Lemma  2.13.  (Mult  of  Un  is  Sum  Midi) 

VSETSEQ  U  N.DISJOINT(SETSEQ,N)D 

MULT (U , UN ( SETSEQ , N ) ) =SUM ( AX 1 . MULT (U , SETSEQ (X 1 ) ) , N ) 


Section  I 


29 


Section  3  contains  the  definitions  of  application  and  permutation,  in  both  representations. 
It  contains  also  some  facts  needed  for  the  representation  through  association  lists.  In  particular, 
since  this  representation  is  not  unique,  we  have  the  predicate  samemap  that  is  true  of  two  alists  if 
they  represent  the  same  function.  VVe  show  that  samemap  is  an  equivalence  relation  on  alists: 

Lemma  3.1.  {Samemap  Equivalence) 

(i)  VALIST. SAMEMAP (ALIST.ALIST) 

(ii)  VALIST  ALIST1.SAMEMAP(ALIST,ALIST1)3SAMEMAP(ALIST1,ALIST) 

(iii)  VALIST  ALISTl  ALIST2.SAMEMAP(ALIST,ALIST1)aSAMEMAP(ALIST1,ALIST2)3 

SAMEMAP (ALIST,ALIST2) 


Part  2  contains  the  three  mathematical  facts,  namely 

—  the  proof  of  the  Pigeon  Hole  Principle,  and  two  proofs  that  every  finite  surjection  is  an 
injection  (Section  4)] 

—  the  proof  that  permutations  represented  as  association  lists  form  a  group  (Section  5): 

—  the  proof  that  permutations  represented  as  lists  of  numbers  form  a  group  (Section  6). 

Section  4.  contains 
Theorem.  (Pigeonfact) 

VF  N.(VM.M<NDNATNUM  F(M))a(VM.M<ND1<F(M))aSUM(AK.F(K) ,N)<N3 
(VM.M<ND1=F(K)) 

'%  * 
Corollary.  ( Pigeonlisi) 

VU.DISJOINTCSETSEQ, LENGTH  U)D 

((VM.M<LENGTH  UD1<MULT(U,SETSEQ(M) ) )3 
(VM . M<LENGTH  U31=MULT(U ,SETSEQ (M) ) ) ) 

and  the  two  applications  of  the  pigeon  hole  principle.  In  both  cases  the  proof  takes  three  steps. 

In  the  version  representing  functions  as  association  lists  the  desired  result... 

Theorem.  (Permutp  Injectp) 

VALIST . PERMUTP ( ALIST) 3IN JECTP ( ALIST) 

...is  proved  through  the  following  steps: 

Lemma  4.1.  (Inj  Disj) 

VU.INJ(U)3DISJ0INT(AM.MKSET(NTH(U.M)), LENGTH  U) 

Lemma  4.2.  (Permutp  Injectp  Lemma) 

VU  V.MKLSET(U)=MKLSET(V)D 

(VM . M<LENGTH (U) 31<MULT (V .MKSET  NTH (U , M) ) ) 
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Lemma  4.3.  {Mult  Mult) 

VU  V.MKLSET(U)=MKLSET(V)a 

( VM . M<LENGTH  UDMULT ( V , MKSET ( NTH (U , M ) ) ) = 1 ) D 
( VI . I <LENGTH  VDMULT ( V , MKSET(NTH ( V , I) ) ) = 1 ) 

The  conclusion  follows  by  the  lemma  Mult  Inj. 

In  the  version  representing  functions  as  lists  the  result... 

Theorem.  [Perm  Injectivity) 

VU. PERM (U) DIN J(U) 

...is  proved  again  in  three  steps: 

Lemma  4.4.  [Disjoint  Number) 

VN.DISJOINT(AXV.MKSET(XV) .N) 

Lemma  4.5.  [Onto  Mult) 

VU.0NT0(U)D 

( VN . N<LENGTH (U) D 1 <MULT (U , MKSET (N ) ) ) 

Lemma  4.6.  [Into  Mult) 

VU.INT0(U)A 

(VK . K<LENGTH  UD1=MULT(U ,MKSET(K) ) ) D 
( VI . I< LENGTH  UD 1=MULT (U , MKSET (NTH (U , I ) ) ) ) 

The  conclusion  follows  using  the  lemma  Mutt  Inj. 

Sections  5-6  contain  definitions  of  the  operation  composition  of  functions,  of  the  identity 
function  and  of  the  operation  taking  the  inverse  of  a  permutation  and  proofs  of  the  following 
theorems: 

Theorem  1.  (i)  The  composition  of  permutations  is  a  permutation. 

(ii)  Composit  ion  of  functions  is  associa  tive. 

Theorem  2.  (i)  The  identity  function  i  is  a  permutation. 

(ii)  For  every  permutation  f,  f  o  i  =  f. 

(iii)  For  every  permutation  f,  i  o  f  =  f. 

Theorem  3.  (i)  For  every  permutation  f.  the  inverse  function  f“*  is  a  permutation. 

(ii)  For  every  permutation  /,  f  o  f~'  =  i. 

(iii)  For  every  permutation  f,  f“^  o  f  =  i. 

In  Section  5  we  work  with  association  lists.  In  the  proof  of  the  theorems  we  need  the  following 
facts: 

Lemma  5.1  [.App  Compalist) 

VALIST  ALIST1.MEMBER(X,D0M(ALIST))D 
APPALIST(X,ALIST  cd  ALIST1)=APPALIST(APPALIST(X , ALIST) , ALISTl) 
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Lemma  5.2  ( Dom  Compalist) 

VALIST  ALIST1.D0M(ALIST  oo  ALIST1)=D0M(ALIST) 

Lemma  5.3  (Nonempty  Range) 

VALIST  X. MEMBER (X, DOM  ALIST)3 

OY.MEMBERCY, RANGE  ALIST)aAPPALIST(X,ALIST)=Y) 

Lemma  5.4  (Nonempty  Domain) 

VALIST  Z. UNIQUENESS  DOM (ALIST)aMEMBER(Z, RANGE  ALIST)D 
(3X.MEMBER(X,D0M  ALIST)aAPPALIST(X ,ALIST)=Z) 

Lemma  5.5  (Main  Idalistp) 

VALIST  Y.IDALISTP(ALIST)aMEMBER(Y,D0M(ALIST))3 
APPALIST(Y,ALIST)=Y 


In  Section  6  first  we  discuss  the  choice  of  LISP  functions  and  predicates  for  the  representation 
through  lists  of  numbers.  Then  the  proofs  of  the  theorems  in  the  representations  PERMP.  using 
predicates,  and  PERMF.  using  LISP  functions,  are  shown  in  parallel. 

In  the  version  PERMF  we  need  first  to  prove  some  facts  about  length. 

Lemma  6.1.  (Length  Compose) 

VU  W.DEF_APPL(W,U)DLENGTH  (W«U)=LENGTH  U 

Lemma  6.2.  (Length  Ident) 

VN. LENGTH  (IDENT(N))=N 

Lemma  6.3.  (Length  Inverse) 

VU.PERM(U)DLENGTH  (INVERSE (U) )=LENGTH  U 

In  the  version  PERMF  by  proving  first  the  following  facts,  we  make  it  possible  to  follow  the 
proofs  of  the  version  PERMP. 

Lemma  6.4,  (Nth  Compose) 

VU  N.DEF_APPL(V,U)AN<LENGTH  UDNTH(V®U,N)=NTH(V,NTH(U,N) ) 

Lemma  6.5.  (Main  Id) 

VN . N<M3NTH ( IDENT (M) , N) =N 
Lemma  6.6.  (Main  Inv) 

VU  N.PERM  UaN<LENGTH  U3NTH(INVERSE  U,N)=FSTP0SITI0N(U,N) 
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2.  Preliminaries:  Basic  Tools. 


2.1.  Educating  EKL  about  propositional  Logic. 

One  of  the  unique  features  of  EKL  is  the  ability  to  describe  procedures  like  bringing  formulas 
into  disjunctive  normal  form  (where  other  rewriters  can  then  be  applied)  as  a  set  of  simple  rewriters. 
However,  since  this  is  often  not  appropriate  and  may  cause  combinatorial  explosions,  we  do  not 
add  these  to  the  default  rewrite  facts  denoted  by  simpinfo;  instead  we  want  to  call  those  lines  as 
rewriters  when  needed. 

; propositional  schemata,  used  by  the  rewriter  to  normalize  expressions 
(proof  normal) 

1.  (trw  IVp  q  r. ((pVq)Ar)s((pAr)v(qAr)) I) 

(label  normal) 

2.  (trw  IVp  q  r , (rA(pVq))5((rAp)v(rAq)) 1) 

(label  normal) 

# 

3.  (trw  |Vp  q  r . ((pvq)Ar)s((pAr)v(qAr)) I ) 

(label  normal) 

4.  (trw  IVp  q  r . (pvqDr)s(pDr)A(qDr) I ) 

(label  normal) 

5.  (trw  |Vp  q.  (“i(pVq))s((-ip)A(-iq))  I) 

(label  demorgan) 

6.  (derive  |  Vp  q.-i(pAq)H(-ip)v(-iq)  |  ) 

(label  demorganl) 

Now  the  rewriter  will  be  able  to  normalize  expressions,  distributing  conjunction  over  disjunc* 
tion,  eliminating  disjunctions  in  the  antecedent  of  an  implication  and  negations  of  disjunctions. 

The  pure  rewriler,  however,  finds  it  difficult  to  make  certain  inferences  in  conditional  rewriting. 
This  problem  may  be  overcome  by  introducing  propositional  facts  to  be  used  later  as  rew'riters. 

7.  (derive  |Vp  q.ps (qDp) A(-iq3p)  I ) 

(label  excluded.middle) 

8.  (derive  |Vp  q  r.(qDr)A(if  p  then  q  else  r)Dr|) 

(label  trans.cond) 

Remark.  Example  1.  The  use  of  the  lines  labeled  NORMAL  is  an  interesting  example  of  use 
of  second  order  unification.  Since  sentences  are  just  terms  of  type  truthval,  we  can  apply  to  them 
the  rewriting  procedure  in  a  uniform  vvay.  This  is  made  possible,  of  course,  by  the  use  of  the  higher 
order  unification.  We  give  an  example  of  its  application.  The  fact  to  prove  is  the  transitivity  of  <, 
assuming  the  transitivity  of  <.  Using  our  technique  we  collapse  into  one  line  a  16  line  long  Natural 
Deduction  stylo  proof.  We  will  present  the  Natural  Deduction  Style  proof  first. 
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(wipe-out) 

(get-proofs  nth  prf  prm  gib) 

(proof  example) 

(setq  rewritemessages  t) 

; labels ;  TRANSITIVITY_OF_ORDER 
;VN  M  K. N<MAM<KDN<K 

; labels:  LESSEQDEF 
;VM  N.M<N=(M=NVM<N) 

(Remember:  (open  lesseq)  is  the  same  as  use:  lesseqdef  mode:  exact.) 

0.  (trw  iVn  m  k.n<mAm<kDn<k|  (open  lesseq) 
transitivity_of .order) 

;the  term  N<M  is  replaced  by: 

N=MVN<M 

;the  term  M<K  is  replaced  by: 

M=KvM<K 

;the  term  N<K  is  replaced  by: 

N=KvN<K 

;(VN  M  K.N<MaM<KDN<K)s(VN  M  K. (N=MvN<M)a(M=KvM<K)DN=KvN<K) 

VVe  do  not  go  very  far  by  simply  expanding  the  definition  of  <,  because  the  revvriter  does  not  know 
what  to  do  with  the  disjunctions  in  the  antecedent. 

Instead,  we  can  construct  a  derivation  and  use  two  arguments  by  cases  to  handle  the  disjunc¬ 
tions  (lines  14  and  1-5). 

(setq  rewritemessages  nil) 

1.  (assume  |n<ml) 

(label  example 1) 

2.  (assiune  |m<k|) 

(label  example2) 

3.  (rw  examplel  (open  lesseq)) 

;N=MvN<M 

(label  examples) 

;deps:  (EXAMPLEl) 

Argue  by  cases.  First  case: 

4.  (assume  |n=m|) 

5.  (rw  example2  (use  ♦  mode:  exact  direction:  reverse)) 

;N<K 

(label  example4) 


Second  case: 


6.  (assume  |n<m|) 

(label  examples) 

7.  (rw  example2  (open  lesseq)) 

;M=KVM<K 

(label  examples) 

;deps;  (EXAMPLE2) 

Within  the  second  case,  we  need  another  argument  by  cases. 

8.  (assume  |m=k|) 

9.  (rw  examples  (use  *  mode:  exact)) 

:N<K 

10.  (trw  |n<k|  (open  lesseq)  *) 

;N<K 

(label  example?) 

11.  (assume  |m<k|) 

12.  (derive  |n<k|  (transitivity.of .order  examples  *)) 

13.  (trw  |n<k|  (open  lesseq)  *) 

;N<K 

(label  examples) 

14.  (cases  examples  example?  examples) 

;N<K 

(label  examplelO) 

:deps:  (EXAMPLE2  EXAMPLES) 

This  concludes  the  second  case.  So  we  can  conclude  our  first  argument. 

15.  (cases  examples  example4  examplelO) 

;N<K 

;deps:  (EXAMPLEl  EXAMPLES) 

IS.  (ci  (examplel  example2)) 

: N<MAH<KDN<K 


.  This  concludes  the  Natural  Deduction  style  proof  of  the  transitivity  of  <.  However,  using 
the  rewriter  NORMAL  we  can  do  all  this  in  one  step. 

0.  (trw  |Vn  m  k.n<mAm<kDn<k|  (open  lesseq)  (use  normal  mode:  always) 
transitivity.of .order) 

;VN  M  K. N<MAM<KDN<K 
(label  example) 


For  after  o.xpanding  the  definition  of  <  the  rewritcr  uses  lines  1  and  2  of  the  proof  NORMAL 
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;the  term  (N=MVN<M) a(M=KvM<K)  is  replaced  by: 
N=Ma (M=KvM<K) vN<Ma (M=KvM<K) 

;the  term  N=Ma(M=KvM<K)  is  replaced  by: 
N=MaM=KvN=MaM<K 

So  in  the  first  disjunct 

;the  term  M  is  replaced  by: 

K 


Similarly 

;the  term  N<Ma(M=KvM<K)  is  replaced  by: 

N<MaM=KvN<MaM<K 

;the  term  M  is  replaced  by: 

K 


Later  the  rewriter  uses  line  4  of  the  proof  NORMAL.  This  corresponds  to  argument  by  cases. 

;the  term  N=KaM=KvN=MaM<KvN<KaM=KvN<MaM<KDN=KvN<K  is  replaced  by: 
(N=KaM=K3N=KvN<K)a(N=MaM<KvN<KaM=KvN<MaM<K3N=KvN<K) 


Now  standard  rewriting  does  the  Job  for  the  first  conjunct: 

;the  term  N=K  is  replaced  by: 

TRUE 

;the  term  TRUEvN<K  is  replaced  by: 

TRUE 

;the  term  N=KaM=K3TRUE  is  replaced  by: 
TRUE 

etc. 


2.2.  Educationg  EKL  about  first  grade  Arithmetic. 

First  w^e  ask  EKL  to  read  the  proofs  contained  file  MINUS,  namely  the  proofs  *’minus"  and 
•iesseq”.  They  in  turn  contain  the  instruction  of  reading  the  file.s  NATNUM  and  NORMAL  (see  the 
Appendix). 

(wipe-out) 

;  Done .Proof ? 

(get-proofs  minus) 

;file  read  in 

;  switched  to  MINUS 

;the  proof  LESSEQ  read  in. 

;the  proof  INDUCTION  read  in. 

;the  proof  MINUS  read  in. 

;the  proof  NATNUM  read  in. 

;the  proof  NORMAL  read  in. 


I  We  use  □  for  the  end  of  an  example  and  ■  for  the  end  of  a  proof  (both  informal  and 
mechanical). 
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2.3.  LISP  and  the  Bound  Quantifier  Allp. 


Similarly  we  ask  EKL  to  learn  about  LISP  by  reading  the  file  LISPAX  (see  the  Appendix). 

(wipe-out) 

; Done .Proof ? 

(get-proofs  lispax) 

;file  read  in 
; switched  to  LISPAX 
;the  proof  LISPAX  read  in. 

In  defining  functionals,  the  language  of  EKL  gives  us  the  option  between  a  definition  by  recursion 
and  a  definition  using  bounded  quantifiers. 

Consider  the  predicate  allp(phi,u),  to  be  interpreted  as  ‘^for  all  members  x  of  u.  phi(u).  It 
could  be  defined  as: 

(define  allp  iVphi  x  u.allp(phi,u)5(Vx.niember(x,u)Dphi(x)) I ) 

The  definition  by  recursion  Allpdef 
Vphi  X  u.allp(phi,nil) A 

allp (phi ,x.u)=if  phi(x)  then  allp(phi,u)  else  false 


simplifies  its  use  in  proofs  by  induction  on  Lists:  consider  for  instance  the  proofs  of  the  Lemma  Nth 
Compose  or  of  Theorem  Assoc  Compose.  In  contexts  wliere  a  straightforward  proof  by  induction 
is  not  possible,  we  may  use  the  other  definition,  having  proved  the  e(iuivalence. 

; facts  about  allp 
(proof  allp) 

;a  reformulation  of  the  definition  of  allp 

1.  (trw  iVphi  X  u.allp(phi,x.u)3phi(x)Aallp(phi,u) I  (open  allp)) 

;VPHI  X  U.ALLP(PHI,X.U)3PHI(X)aALLP(PHI,U) 

(label  allpfact) 

; allp.introduction 

2.  (ue  (phi  I Au. (Vy .member(y ,u)3phil(y))3allp(phil ,u) I ) 

list induct ion 

(open  allp  member)  (use  normal  mode:  always)) 

(label  allp^introduction) 

; VU . (VY . MEMBER( Y ,U) DPMI 1 (Y) ) DALLP (PHI 1 ,U) 

; allp. elimination 

3.  (ue  (phi  lAu.member(x,u)Aallp(phil,u)3phil(x) 1) 

listinduction 

(part  1  (open  member  allp)  (use  normal  mode:  always))) 

(label  allp. elimination) 

; VU . MEMBER(X , U) AALLP (PHI 1 , U) DPHI 1 (X) 


;  allp. implication 
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4.  (ue  (phi  lAu.Va  al .allp(a,u)A(Vx.a(x)Dal(x))Dallp(al,u) I ) 
list induction  (open  allp)) 

(label  allp.implication) 

;VU  A  A1.ALLP(A,U)a(VX.A(X)DA1(X))DALLP(A1,U) 

Similarly  for  the  predicate  somep: 

Vphi  X  u.nsomep(phi,nil)A 

somep (phi, x.u)= if  phi(x)  then  true  else  somep(phi,u) 
(proof  somepprop) 

1.  (ue  (phi  |Au.member(y,u)Aphil(y)Dsomep(phil,u) I) 

list induct ion 

(open  somep  member)  (use  normal  mode:  always)) 

; VU . MEHBER(Y ,U) APHIl (Y) DSOHEP (PHI 1 ,U) 

2.  (derive  iVu. (3y.member(y,u)Aphil(y))Dsomep(phil,u) |  *) 

3.  (ue  (phi  Uu.somep(phil,u)D(3x.member(x,u)Aphil(x)) I) 

list induct ion 

(part  1  (open  member  somep)  (use  normal  mode:  always)  (der))) 
; VU . SOMEP (PHI 1 , U) D (3X . MEMBER ( X , U) APHI 1 (X ) ) 

4.  (derive  |Vu.somep(phil,u)s(3x.member(x,u)Aphil(x)) I  (*  -2)) 

(label  somepfact) 


2.4.  Facts  of  elementary  set  theory. 


Next  we  introduce  some  useful  notations  of  elementary  set  theory.  We  do  not  distinguish 
between  sets  and  predicates:  our  variables  av,  bv  for  sets  will  allow  us  to  speak  only  about  very 
few  sets  (only  sets  of  “urelements”,  sets  of  objects  of  type  ground — see  the  file  1.5.1). 

Remark.  Example  2.  The  following  example  shows  that  some  care  is  needed  in  dealing  wit  h 
default  declarations.  In  guessing  the  declaration  for  a  term,  EKL  looks  for  syntactical  similarities 
with  previously  defined  terms:  thus  if  x  has  been  previously  declared,  EKL  tries  the  same  declaration 
for  xl  or  XV. 

If  we  start  a  new  proof,  without  access  to  the  previous  ones,  then  the  expression  xv  receives 
default  declaration  type:  groimd  syntype:  vscriable  sort:  universal. 

(proof  sets) 

1.  (decl  (av  bv)  (type:  I ground-*truthval  |  ) ) 

2.  (decl  epsilon  (type:  |ground®®av-»truthvall ) 

(infixname:  €)  (bindingpower :  925)) 

3.  (define  epsilon  |Vav  xv.xv€avsav(xv) | ) 

;XV  is  unknown. 

;the  symbol  XV  declared  to  have  type  GROUND 
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On  the  other  hand,  in  the  proof  LISPAX  the  term  x  has  already  been  declared:  its  declaration 
is  type:  ground  syntype:  variable  sort:  sexp.  Therefore,  if  we  give  EKL  access  to  the  proof 
lispax  first,  then  xv  becomes  a  variable  of  the  sort  sexp  (line  3  below). 

Since  in  this  paper  we  will  consider  only  sets  of  S-expressions,  such  default  declaration  is 
convenient. 

(get-proofs  allp) 

;file  read  in 
; switched  to  ALLP 
;the  proof  ALLP  read  in. 

;the  proof  LISPAX  read  in. 

(proof  sets) 

1.  (decl  (av  bv)  (type:  |ground-»truthval|)) 

2.  (decl  epsilon  (type:  |ground«aav-»truthval| ) 

(infixname:  €)  (bindingpower:  925)) 

3.  (define  epsilon  |Vav  xv.xv6avsav(xv) | ) 

(label  epsilondef) 

;XV  is  unknown. 

;the  symbol  XV  is  given  the  same  declaration  as  X 

However,  there  is  a  more  elegant  way  to  obtain  this  result:  we  can  declare  xv  to  be  of  some 
sort,  say  urelement: 

(wipe-out) 

(proof  sdtSi  * 

(decl  (xv  yv  zv)  (type:  ground)  (sort:  urelement)) 


Then  we  establish,  by  axioms,  that  urelements  and  S-expressions  are  the  same  class. 

(axiom  |Vx .urelement  xl) 

(label  simpinfo) 

(axiom  iVxv.sexp  xv|) 

(label  simpinfo) 

Thus  we  can  create  the  two  files  separately  and  later  give  EKL  access  to  both  files  and  assume  the 
above  axioms,  if  needed.  Q 

;useful  set  theory 
(wipe-out) 

(get-proofs  allp) 

(proof  sets) 

;all  urelements  will  be  S-expressions 
;all  S-expressions  will  be  urelements 

1.  (decl  (xv  yv  zv)  (type:  | ground  I )  (sort:  urelement)) 

2.  (decl  (av  bv)  (type:  | ground-*truthval  I ) ) 
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3.  (axiom  I Vx .ur element  x|) 

(label  simpinfo) 

4.  (axiom  I Vxv.sexp(xv) | ) 

(label  simpinfo) 

5.  (decl  epsilon  (type:  |ground»@av-»truthval I ) 

(infixname:  €)  (bindingpower :  925)) 

6.  (define  epsilon  |Vav  xv.xv€avsav(xv) | ) 

(label  epsilondef) 

;XV  is  unknown. 

;the  symbol  XV  is  given  the  same  declaration  as  X 

7.  ;VA  B.(VXV.XV€AsXV€B)3A=B 
(label  set.extensionality) 

8.  (decl  intersection  (type:  |@set»Qset-»®set I) 

(infixname:  n)  (bindingpower:  950) 

(pref ixname :  intersection) ) 

9.  (define  intersection  |Va  b.anb=Axv. (a(xv)Ab(xv)) |) 

(label  interdef) 

10.  (decl  union  (type:  1 0set»®set->®set  I  ) 

(infixname:  u)  (bindingpower:  950) 

(pref ixname:  union)) 

11.  (define  union  |Va  b.aUb=Axv. (a(xv)vb(xv) ) | ) 

(label  uniondef) 

12.  (decl  inclusion  (type:  |®set«®set-»truthval  I ) 

(infixname:  C)  (bindingpower:  920) 

(pref ixname :  inclusion) ) 

13.  (define  inclusion  |Va  b.aCbsVxv.a(xv)Db(xv) | ) 

(label  inclusiondef ) 

14.  (defax  emptyset  |emptyset=Axv.false|) 

(label  emptysetdef) 

15.  (defax  emptyp  |Va.emptyp(a)=Vxv.-ja(xv)  | ) 

We  want  to  be  able  to  talk  of  the  set  of  occurrences  of  an  S-expressious  x  as  well  as  of  the  set 
of  elements  of  a  list  u. 

16.  (decl  mkset  (type:  |ground-»®set  | ) ) 

17.  (define  mkset  |Vxv.inkset(xv)  =  (Ayv.yv=xv)  | ) 

(label  mkset^def) 

;the  set  of  members  of  a  list 

18.  (decl  mklset  (type:  |ground-»®av| )) 

19.  (define  mklset  |Vu.mklset(u)=Ax.member(x,u) I) 

(label  mklsetdef) 
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2.5.  Putting  things  together. 


The  basic  ground  domain  will  contain  both  S-expres$ions  and  natural  numbers.  We  need  both 
to  define  the  function  length 

Vu  X. (length  nil=0)AlGngth(x .u)=(length  u) ’ 

(see  the  Appendix). 

(get-proofs  length) 

;file  read  in 
; switched  to  SETFACTS 
;the  proof  SETFACTS  read  in. 

;the  proof  ALLP  read  in. 

;the  proof  LESSEQ  read  in. 

;the  proof  INDUCTION  read  in. 

;the  proof  LENGTH  read  in. 

;the  proof  MINUS  read  in. 

;the  proof  NATNUM  read  in. 

;the  proof  NORMAL  read  in. 

;the  proof  SETS  read  in. 

;the  proof  LISPAX  read  in. 

In  such  context,  the  following  principle  { Double inditctionl)  of  double  induction  for  lists  and 
numbers  will  be  very  useful: 

VPHI3. 

(VU  N  X.PHI3(NIL,N)aPHI3(U,0)a(PHI3(U,N)DPHI3(X.U,NO))3(VU  N.PHI3(U,N)) 

Numbers  and  S-expressions  are  ground  objects  of  different  sorts. 

(axiom  IVn.sexp  n|) 

(label  simpinfo) 

(axiom  I Vn.nnulKn)  1) 

(label  simpinfo) 

We  remarked  above  that  some  care  is  needed  to  give  the  database  the  proper  structure  of 
tvj)es  and  sorts.  In  our  experiment,  no  artificial  limitation  of  expressive  power  is  imposed  by  the 
type  structure  of  EKL.  Now  we  are  ready  to  introduce  the  main  LISP  functions  needed  for  our 
representations  of  permutations. 


2.6.  Properties  of  Nth. 

The  LISP  function  nth  plays  a  key  role  in  our  representation,  nth  and  nthedr  are  defined 
as  total  functions,  with  the  default  value  NIL.  We  shall  present  facts  about  tliese  functions  as 
examples  of  simple  inferences  in  EKL. 
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(proof  nth) 

1.  (decl  nth  (syntype:  constamt)  (type:  I ground®ground-*ground | ) ) 

2.  (defax  nth  iVx  u  n.nth(nil,n)=nilAnth(u,0)=car  uA 

nth(x.u,n’)=nth(u,n) I) 

(label  simpinfo)  (label  nthdef) 

Example  3.  The  well-definedness  of  nth  is  an  immediate  consequence  of  its  definition  In- 
double  induction  on  lists  and  numbers.  We  show  the  rewriting  process  in  detail.  Without  the  use 
of  simpinfo  the  following  statement  is  obtained. 

(setq  rewritemessages  t) 

0.  (ue  (phi3  |Au  n.sexp  nth(u,n)|)  doubleinduct ionl  (nuse  simpinfo)) 

;(VU  N  X.SEXP  NTH(NIL,N)aSEXP  NTH(U,0)a 
;  (SEXP  NTH(U,N)DSEXP  NTH(X.U,N’ )))3 

;(VU  N.SEXP  NTH (U.N)) 

The  information  in  simpinfo,  including  the  definition  of  nth,  is  enough  to  obtain  the  result. 

3.  (ue  (phi3  |Au  n.sexp  nth(u,n)|)  doubleinduct ionl) 

;the  term  NTH(NIL,N)  is  replaced  by: 

NIL 

jthe  term  SEXP  NIL  is  replaced  by: 

TRUE 

;the  term  SEXP  NTH(U,0)  is  replaced  by: 

TRUE 

;the  term' NTH(X .U,N’ )  is  replaced  by:  ^ 

NTH (U.N) 

;the  term  SEXP  NTH(U,N)  is  replaced  by: 

TRUE 

;the  term  SEXP  NTH(U,N)DTRUE  is  replaced  by: 

TRUE 

;the  term  TRUEaTRUEaTRUE  is  replaced  by: 

TRUE 

;the  term  VU  N  X.TRUE  is  replaced  by; 

TRUE 

;the  term  TRUED (VU  N.SEXP  NTH(U,N))  is  replaced  by; 

VU  N.SEXP  NTH (U.N) 

:VU  N.SEXP  NTH (U.N) 

(label  simpinfo)  (label  sexp.nth)  ■ 

□ 


Lemma  2.1.  (Nth  Member) 

VU  N.N<LENGTH  U3MEMBER(NTH(U,N) ,U) 


Proof.  We  use  double  induction  also  the  membership  of  the  values  of  nth  in  the  original  list. 
The  first  base  case,  when  n  =  0,  is  proved  by  listinduction.  For  u  =  NIL  we  obtain  a  contradiction 
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in  the  antecedent  (the  line  ZEROLEASTl,  proof  NATNUM,  is  in  simpinfo).  For  u  -  x.u  we  apply 
definitions  of  nth  and  of  member. 

(ue  (phi  Uu.O<length  uDmember(nth(u,0) ,u) I )  listinduction 
(open  member)) 

;VU.O<LENGTH  UDMEMBER(NTH(U,0) ,U) 

The  other  base  case  gives  again  a  contradiction  and  the  inductive  step  is  immediately  re¬ 
duced  to  the  induction  hypothesis.  Indeed,  n’<length(x.u)  reduces  to  n’< (length (u))  ’  and  by 
SUCCESSORLESS  (proof  NATNUM)  to  n<length(u).  By  definition,  nth(x.u,n’)  =  nth(u,n). 

(ue  (phi3  lAu  n.n<length  u  D  member(nth(u,n) ,u) I )  double induct ion 1 
(use  memberdef  mode:  always)  (use  *  )) 

;VU  N.N<LENGTH  U3MEMBER(NTH(U,N) ,U) 

(label  nthmember)  ■ 


We  need  a.  converse  of  NTHMEMBER: 

Lemma  2.2{Member  Nth) 

VU  Y.MEMBER(Y,U)D(3N.N<LENGTH  UaNTH(U,N)=Y) 


Proof.  Since  Member  Nth  is  an  existential  statement,  we  have  to  expand  the  proof.  We  use 
induction  on  the  list  u.  In  order  to  prove  that 

3n.n<length(x.u)Anth(x.u,n)=y, 

assume  the  induction  hypothesis  (line  1)  and  the  antecedent  for  the  inductive  step  (line  2).  (line 

11). 

(proof  member.nth) 

1.  (assume  I (MEMBER(Y,U)D(3N.N<LENGTH  UaNTH(U,N)=Y))1) 

(label  m_nl) 

;deps:  (1) 

2.  (assume  |member(y ,x.u) I  ) 

(label  m_n2) 

;deps:  (2) 

3.  (ru  *  (open  member)) 

(label  m_n3) 

;Y=XVMEMBER(Y,U) 

;deps:  (M_N2) 

This  requires  a  proof  by  cases. 

4.  (assume  ly=x|) 

(label  m_n4) 

;deps:  (4) 


14 


About  Permutations  in  Li.su  and  EKI. 


If  y  =  X.  one  can  take  0  for  the  desired  n.  It  is  enough  to  expand  the  definitions  of  length  and 
nth  in  line  5  to  verify  that 

0<length(x .u)Anth(x .u ,0)=y. 

5.  (trw  |0<length(x.u)Anth(x.u,0)=y I  *  ) 

;0<LENGTH  (X.U)aNTH(X.U,0)=Y 

;deps:  (M_N4) 

6.  (derive  |3n.n<length(x.u)Anth(x.u,n)=y I  *  ) 

(label  m_n5) 

;deps:  (M.N4) 

Second  case; 

7.  (assume  |member(y ,u) I ) 

(label  m_n6) 

;deps:  (7) 

8.  (define  nv  |nv<length  uAnth(u,nv)=y |  (m_nl  *)) 

;NV  is  unknown. 

;the  symbol  NV  is  given  the  same  declaration  as  N 
;deps:  (M.Nl  M_N6) 

The  command  DEFINE  allows  the  introduction  of  an  eigenvariable.  This  is  EKLs  way  to  deal  with 
existential  elimination.  Now  take  nv'  for  n: 

9.  (trw  |nv’<length(x.u)Anth(x.u,nv’)=yl  *  ) 

;NV’<LENGTH  (X.U)aNTH(X.U,NV’)=Y 

;deps:  (M_Ni  M_N6) 

10.  (derive  |3n.n<length(x.u)Anth(x.u,n)=y I  *  ) 

(label  m_n7) 

;deps:  (M.Nl  H_N6) 

Existential  introduction  is  performed  in  lines  6  and  10  by  the  DERIVE  command.  In  both  cases  we 
have  reached  the  desired  conclusion. 

11.  (cases  m_n3  m_n5  m_n7) 

;3N.N<LENGTH  (X .U) ANTH(X .U,N)=Y 
;deps:  (M.Nl  M.N2) 

Cases  derives  the  formula  of  lines  6  and  10  (the  formula  must  be  the  same)  and  discharges  the 
open  assumptions  of  lines  4  and  7,  respectively,  by  using  line  3.  We  use  conditional  introduction 
to  discharge  assumptions  and  to  write  down  the  induction  step  (line  13).  In  line  14  the  inductive 
argument  is  performed  as  a  rewriting  procedure,  using  line  13  as  a  rewriter. 

12.  (ci  m_n2) 

;MEMBER(Y,X.U)D(3N.N<LENGTH  U’ aNTH(X .U,N)=Y) 

;deps:  (M.Nl) 

13.  (ci  M.Nl) 

; (MEHBER(Y,U)3(3N.N<LENGTH  UANTH(U,N)=Y) )D 
;(MEMBER(Y.X.U)D(3N.N<LENGTH  U’ ANTH(X.U,N)=Y)) 
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The  base  case  is  trivial,  since  NIL  has  no  members.  Therefore: 

14.  (ue  (phi  I Au.member(y,u)D(3n.n<length  uAnth(u,n)=y) I)  list induct ion 
(open  member)  *  ) 

;VU.MEMBER(Y.U)D(3N.N<LENGTH  UaNTH(U,N)=Y)  ■ 


2.7.  Properties  of  Nthcdr. 


(proof  nthcdr) 

1.  (decl  nthcdr  (syntype:  constant)  (type:  |ground®ground-*ground|)) 

2.  (defax  nthcdr  |Vx  u  n .nthcdr (nil ,n)=nilAnthcdr(u,0)=uA 

nthcdr (x . u ,n ’ ) =nthcdr (u , n) I ) 

(label  simpinfo)  (label  nthcdrdef) 

The  proofs  of  the  following  facts  are  quite  easy  and  can  be  found  in  the  .4ppendix. 

3.  VU  N.LISTP  NTHCDR(U,N) 

(label  simpinfo) 

4.  VU.O<LENGTH  UONTH(U,0) .NTHCDR(U, 1)=U 
(label  nth.nthcdr.zero) 

5.  W  N.N<LENGTH  UDCAR  NTHCDR(U,N)=NTH(U,N) 

(label  car_nthcdr) 

6.  VU  N.CDR  NTHCDR (U,N)=NTHCDR(U,N’) 

(label  cdr.nthcdr) 

Lemma  2.3.  (Nthcdr  Car  Cdr) 

7.  VU  N.N<LENGTH  U3NTHCDR(U,N)=NTH(U,N) .NTHCDR(U,N’) 

(label  nthcdr_car_cdr)  ■ 

Tlie  proof  of  tlie  following  Lemma  is  of  some  interest.  We  give  it  liere. 

Lemma  2.4.  (Nth  in  Nthcdr) 

VU  N  M.N<HAM<LENGTH  UDMEMBER(NTH(U,M) ,NTHCDR(U,N) ) 

Proof.  First  we  show 

VU  N  M. (N<MaM<LENGTH  U0MEMBER(NTH(U,M) ,NTHCDR(U,N) ) ) 

l)y  double  iiuliiction  on  numbers  and  lists,  i.e.  on  n  and  on  u  (line  13).  For  //  =  0  the  result 
the  lemma  Nihmeinbf  r.  For  u  =  NIL  we  have  a  false  antecedent. 

.\s  the  inductive  hypothesis  we  need  an  explicitly  universally  quantified  formula: 

1.  (assume  | Vm. (n<mAm<length  uDmember(nth(u,m) ,nthcdr(u ,n) )) I ) 

(label  nincdrl) 
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The  inductive  step  is  proved  by  a  secondary  induction  on  in.  The  case  in  =  0  gives  a  false 
antecedent.  When  m  is  a  successor  the  inductive  formula  is  rewritten  to  an  instance  of  line  10. 
using  the  definitions  of  nth,  nthcdr,  length  and  the  fact  Successorless,  file  NATNUM,  which  is  in 
simpinf  0. 

Notice  that  we  must  tell  EKL  not  to  use  the  definitions  of  nth,  nthcdr  and  length  in  the  part 
of  the  formula  that  corresponds  to  the  conclusion. 

2.  (ue  (a  lAm.  (n* <mAm<length(x.u)3member (nth(x .u,m)  ,nthcdr(x.u,nO))  I) 

proof .by.induction 

(part  2  (nuse  nthdef  nthcdrdef  lengthdef)) 
nincdrl  zero^non.less^successor) 

;VN2.NUN2aN2<LENGTH  (X .U)DMEMBER(NTH(X.U,N2)  ,NTHCDR(X.U,N0 ) 

3.  (ci  nincdrl) 

; ( VM . N<MaM<LENGTH  U3MEMBER (NTH (U , M) , NTHCDR (U , N) ) ) D 
;(VN2.N^<N2aN2<LENGTH  UOMEMBER(NTH(X .U,N2)  ,NTHCDR(U,N) )) 

We  can  conclude  the  main  induction. 

4.  (ue  (phi3  |Au  n.Vm.n<inAm<length(u)Dmember(nth(u,m) ,nthcdr(u,n)) 1 ) 

double induct i on 1 

(use  nthmember  mode:  exact)  (use  *  mode:  exact)) 

;(VU  N  M.N<MaM<LENGTH  UDMEMBER(NTH(U,M) ,NTHCDR(U,N) ) ) 

It  is  interesting  to  notice  that  the  above  argument  can  be  replaced  by  a  one  line  proof,  using 
proof  .by- induct  ion  as  a  rewriter. 

0.  (ue  (phi3  I Au  n.Vm.n<mAm<length  uDmember (nth(u,m) ,nthcdr(u,n) ) I ) 
doubleinductionl 
(use  nthmember  mode:  exact) 

(use  proof _by_ induction 

ue:  ((a. I  Am. (n’<mAm<length(u) O 

member (nth (x.u,m) ,nthcdr(u,n)) ) I)) 
mode:  exact)) 

;VU  N  M.N<MaM<LENGTH  U3MEMBER (NTH (U, M) , NTHCDR (U,N) ) 

In  the  last  step  an  argument  by  cases  is  avoided  by  our  technique  of  using  second  order 
unification  (line  Normal), 

5.  (trw  |Vu  n  m.n<mAm<length(u)3member(nth(u,m) ,nthcdr(u,n)) I 

(open  lesseq  member) (use  normal  mode:  always) 

(use  *  nthcdr.car.cdr  mode:  exact)) 

;VU  N  M.N<MaM<LENGTH  UDMEMBER (NTH (U, M) , NTHCDR (U,N) ) 

(label  nth.in.nthcdr)  ■ 

The  proofs  of  the  following  facts  are  easy  and  left  to  the  Appendix. 
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1.  VU  N  M.N<LENGTH  UaM<LENGTH  (NTHCDR(U,N) ) D 

NTH(NTHCDR(U,N) ,M)=NTH(U,M+N) 

(label  nth.nthcdr) 

2.  VU  N.N<LENGTH  UDLENGTH  (NTHCDR(U,N) )=LENGTH  U-N 
(label  length.nthcdr) 

3.  VU.NTHCDR(U, LENGTH  U)=NIL 
(label  last.nthcdr) 

4.  VU  N. LENGTH (U)<NONTHCDR(U,N)=NIL 
(label  trivial.nthcdr) 

5.  VA  U  N.ALLP(A,U)3ALLP(A,NTHCDR(U,N)) 

(label  allp.nthcdr) 

The  principle  of  nthcdr  induction  can  be  viewed  as  a  trick  to  reduce  induction  on  lists  to 
finite  induction  on  numbers.  More  interestingly,  it  is  induction  on  lists  localized  to  a  given  list, 
i.e.  induction  on  the  tails  of  a  given  list.  Assume  a  list  u  is  given;  we  can  prove  that  u  has  a 
certain  property  phi  from  the  fact  that  the  null  list  has  property  phi  and  that  if  x.v  is  a  tail 
of  u  and  v  has  the  property  phi  then  x .  v  has  the  property  phi.  Using  the  functions  nth  and 
nthcdr  we  can  formulate  this  method  of  proof  as  finite  descent  from  phi(nthcdr(u,length(u) )) 
to  phi(nthcdr(u,0)). 

The  mechanical  derivation  of  this  inductive  principle  is  not  terribly  interesting  and  is  left  to 
the  Appendix. 

6.  VPHI  U. PHI (NIL) A 

(VN . N<LENGTH (U) D (PHI (NTHCDR(U , N ’ ) ) 3 

PHI (NTH (U , N) . NTHCDR(U , N ’ ) ) ) ) 3PHI (U) 

(label  nthcdr.induction) 


2.8.  Properties  of  Fstposition. 

In  the  representation  of  permutations  the  function  fstposition  plays  the  role  of  the  inverse 
operation  of  nth.  Here  we  give  the  definition  of  fstposition  and  some  facts  about  it. 

; fstposition 
(proof  fstposition) 

1.  (decl  (fstposition)  (type:  | ground®ground-»ground I ) ) 

2.  (define  fstposition 

|Vx  u  y .fstposition (nil ,y)=nilA 

fstposition(x  .u ,y)=if  nraeinber(y ,x .u) 

then  nil 
else  if  x=y 
then  0 

else  addl(fstposition(u,y) ) I 

list induct iondef ) 

(label  f stpositiondef ) 
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: facts  about  fstposition 

3.  (ue  (phi  |Au.(null  fstposition(u,y)D-imember(y ,u))A 

(memberCy ,u)Dnatnuin  fstposition(u,y))A 
(null  fstposition(u,y)vnatnxm  fstposition(u,y)) I ) 
list induct ion 

(part  1  (open  member  fstposition)  (use  normal  mode:  always))) 
;VU. (NULL  FSTPOSITION(U,Y)DnMEMBER(Y,U))A 
;  ( MEMBER ( Y , U) DNATNUM ( FSTPOSITION (U , Y) ) ) A 

;  (NULL  FSTPOSITION(U.Y)vNATNUM(FSTPOSITION(U,Y))) 

(label  simp info)  (label  posfacts)  ■ 

4.  (ue  (phi  lAu.Vy.sexp  fstposition(u,y) | )  listinduction 

(part  1  (open  member  fstposition)  (use  normal  mode:  always))) 
;VU  Y.SEXP  FSTP0SITI0N(U,Y) 

(label  simpinfo)  (label  sortpos)  ■ 


5.  (ue  (phi  |Au.Vy.member(y,u)Dfstposition(u,y)<length(u) I) 
listinduction 

(part  1  (open  member  fstposition)  (use  normal  mode:  always))) 
;VU  Y.MEMBER(Y,U)3FSTP0SITI0N(U,Y)<LENGTH  U 
(label  pos_length)  ■ 


2.9.  The  Lemmata  Nth  Fstposition  and  Fstposition  Nth. 


Since  these  facts  are  very  basic,  we  comment  the  proofs  in  detail. 

Lemma  2.5  {Nth  Fstposition) 

VU  N . MEMBER(N ,U) DNTH (U , FSTP0SITI0N(U , N) ) =N 

The  proof  that  fstposition  is  the  right  inverse  of  nth  is  a  simple  induction  on  lists. 

1.  (ue  (phi  |Au.Vn.member(n,u)Dnth(u,fstposition(u,n))=n| ) 
listinduction 
(use  normal  mode:  always) 

(open  member  fstposition  nth)) 

: VU  N . MEMBER(N .U) 3NTH (U . FSTPOSITION (U , N) )=N 
(label  nth.fstposition)  ■ 


To  obtain  the  fact  that  fstposition  is  the  left  inverse  of  nth  we  need  the  additional  hypothesis 
that  u  has  the  uniqueness  property. 

Lemma  2.6  (  Fstposition  Nth) 

VU  N. UNIQUENESS (U)AN<LENGTH  UDFSTPOSITION(U,NTH(U,N) )=N 
Proof.  By  double  induction  on  u  and  n. 

(i)  If  u  =  NIL. then  length(u)  is  0.  and  we  obtain  a  contradiction  in  the  antecedent. 

(ii)  irn=0.  we  prove  by  induction  on  u  that 


Section  2 


10 


VU. UNIQUENESS (U)aO<LENGTH  UDFSTP0SITI0N(U,CAR  U)=0. 

The  base  case  is  like  i.  and  the  induction  step  is  given  by 

fstposition(x.u,car(x.u))  =  f  stpositionCx  .u,x)  =  0. 

(in)  Assume  the  induction  hypothesis 

uniqueness (u) An<length(u) 3f stposition (u, nth (u,n))=n. 


V\^  want: 


uniqueness (x.u) An ’<length(x.u)Df stpositionCx. u, nth (x.u,n ’ ))=n’. 

.Assume  uniqueness (x.u)  and  n’<length(x.u),  which  are  rewritten  as 

-imemher(x,u)  A  uniqxiene.ss(u)  and  «  <  l(ngth(u), 


respectively. 
(iv)  Now 


f StpositionCx .u,nth(x.u,n’ ) ) 


rewrites  to 

if  x=nthCu,n)  then  0  else  fstpositionCu,nthCu,n)) 

have  only  to  show  that  x#nthCu,n):  for  then  we  can  apply  the  induction  hypothesis.  But  if 
x=nthCu,n).  with  n<length  u,  then  x  is  a  member  of  u,  by  AHhmember.  contradicting  (Hi). 


Cproof  f stposition_nth) 

1.  Cue  Cphi  |Au.O<length  uDfstpositionCu,nthCu,0))=0l ) 

listinduction  Copen  fstposition  nth  member)) 

;VU.O<LENGTH  UDFSTPOSITIONCU.CAR  U)=0 

2.  Cderive  |n<length  u  A  x=nthCu,n)  3  member Cx,u) I  Cnthmember)) 

3.  Cderive  | uniqueness Cx.u)An<length  u3nx=nthCu,n) I  *  Copen  uniqueness)) 

4.  Cue  Cphi3  |Au  n. uniqueness  uAn<length  u3fstpositionCu,nthCu,n))=n| ) 

doubleinductionl  * 

Copen  fstposition  nth  member  uniqueness)  -3  nthmember) 

;VU  N. UNIQUENESS CU)AN<LENGTH  UDFSTPOSITIONCU,NTHCU,N))=N 
Clabel  f stposition.nth)  ■ 


Remark.  Example  4.  The  last  line  is  a  compact  proof,  obtained  by  an  interesting  combina¬ 
tion  of  rewriting  steps.  Let  us  look  at  the  details  of  the  rewriting  process.  The  following  statement 
must  be  verified: 
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(setq  rewritemessages  t) 

0.  (ue  (phi3  |Au  n. uniqueness  uAn<length  uDfstposition(u,nth(u,n) )=n| ) 
doubleinductionl  (nuse  simpinfo)) 

;(VU  N  X. (UNIQUENESS (NIL) aN<LENGTH  NILDFSTPOSITION(NIL,NTH(NIL,N))=N)a 
;  (UNIQUENESS(U)aO<LENGTH  UDFSTP0SITI0N(U,NTH(U,0) )=0)a 

;  ( (UNIQUENESS (U)aN<LENGTH  UDFSTPOSITION(U,NTH(U,N) )=N)3 

;  (UNIQUENESS(X.U)aN'<LENGTH  (X.U)D 

:  FSTP0SITI0N(X.U,NTH(X.U,N’))=N’)))3 

;(VU  N. UNIQUENESS (U)AN<LENGTH  U3FSTP0SITI0N(U,NTH(U.N))=N) 

Using  simpinfo,  without  specifying  any  rewriter,  only  few  substitutions  are  made,  by  the 
definition  of  nth  and  the  fact  Successorless. 

0.  (ue  (phis  lAu  n. uniqueness  uAn<length  uDfstposition(u,nth(u,n))=n| ) 
doubleinductionl) 

;(VU  N  X. (UNIQUENESS (U)A0<LENGTH  U3FSTP0SITI0N(U,CAR  U)=0)a 
;  ( (UNIQUENESS (U)AN<LENGTH  UDFSTPOSITION(U,NTH(U,N) )=N)3 

;  (UNIQUENESS(X.U)aN<LENGTH  U3FSTPOSITION(X.U,NTH(U,N))=N’)))3 

;(VU  N. UNIQUENESS (U)aN<LENGTH  U3FSTP0SITI0N(U,NTH(U,N) )=N) 

Let  us  see  how  the  rewriting  process  simulates  the  above  argument. 

(i)  First  base  ca.se: 

;the  term  UNIQUENESS (NIL)  is  replaced  by: 

TRUE 

:the  term  LENGTH  NIL  is  replaced  by: 

0 

;the  term  N<0  is  replaced  by: 

FALSE 

;the  term  TRUEaFALSE  is  replaced  by: 

FALSE 

;the  term  FALSE3FSTP0SITI0N(NIL,NTH(NIL,N))=N  is  replaced  by: 

TRUE 

Here  EKL  has  found  a  contradiction  in  the  antecedent. 

(ii)  Ne.xt  EKL  does  the  second  base  case,  by  expanding  the  definition  of  nth  and  using  line  1: 

;the  term  NTH(U,0)  is  replaced  by: 

CAR  U 

;the  term  FSTP0SITI0N(U,CAR  U)  is  replaced  by: 

0 

;the  term  0*0  is  replaced  by: 

TRUE 

;the  term  UNIQUENESS (U)aO<LENGTH  U3TRUE  is  replaced  by: 

TRUE 

(Hi)  Now  EKL  starts  the  induction  step.  It  expands  the  definitions  of  uniqueness,  length 
and  uses  the  fact  Successorless  (which  is  in  simpinfo). 
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:the  term  UNIQUENESSCX .U)  is  replaced  by: 

-iMEMBERCX  ,U)AUNIQUENESS(U) 

;the  term  N’<LEWGTH  (X.U)  is  replaced  by: 

N<LENGTH  U 

;the  term  (-iMEMBER(X,U)aUNIQUENESS(U))aN<LENGTH  U  is  replaced  by: 

-■MEMBER (X,U)aUNIQUENESS(U)aN<LENGTH  U 

(w)  In  expanding  fstposition,  EKL  finds  two  nested  LISP  conditionals: 

;the  term  FSTPOSITION(X.U,NTH(X.U,N’))  is  replaced  by: 

IF  -iMEHBER(NTH(X.U,N’) ,X.U)  THEN  NIL  ELSE  (IF  X*NTH(X.U,N’ )  THEN  0  ELSE 
FSTPOSITION(U,NTH(X.U,N’)) ’) 

;the  term  MEMBER(NTH(X.U,N’) ,X.U)  is  replaced  by: 
NTH(X.U,N’)=XVMEMBER(NTH(X.U,N’) ,U) 

;the  term  NTH(X.U,N’)  is  replaced  by: 

NTH(U,N) 

;the  term  NTH(U,N)=X  is  replaced  by: 

FALSE 

Line  3  has  been  used  here. 

;the  term  NTH(X.U,N’)  is  replaced  by: 

NTH(U.N) 

;the  term  MEMBER(NTH(U,N) ,U)  is  replaced  by: 

TRUE 

Here  EKL  has  used  the  fact  Nthmember. 

;the  term  FALSEvTRUE  is  replaced  by: 

TRUE 

;the  term  -iTRUE  is  replaced  by: 

FALSE 

The  if  clause  of  the  outermost  conditional  is  therefore  false  (see  the  first  line  after  (iv)).  Now  EKL 
moves  to  the  else  clause  and  finds  the  innermost  conditional. 

;the  term  NTH (X.U, N’)  is  replaced  by: 

NTH(U,N) 

;the  term  X=NTH(U,N)  is  replaced  by: 

FALSE 

Line  3  has  been  used  here  again  to  see  that  the  if  clause  of  the  innermost  conditional  is  false. 
Hence  EKL  considers  the  else  clause,  i.e. 

FSTPOSITION(U,NTH(X.U,N’))’ 

(see  the  first  line  after  (iv)). 

;the  term  NTH(X.U,N’)  is  replaced  by: 

NTH(U,N) 

;the  term  FSTPOSITION(U,NTH(U,N) )  is  replaced  by: 

N 


Here  the  induction  hypothesis  has  been  used. 


52 


About  Permutations  in  Lisp  and  EKL 


;the  term  IF  FALSE  THEN  0  ELSE  N’  is  replaced  by: 

N’ 

; the  term  IF  FALSE  THEN  NIL  ELSE  N’  is  replaced  by: 
N’ 


This  concludes  the  evaluation  of  the  term  FSTP0SITI0N(X  .U,NTH(X  .U,N’ )  )•  The  result  follows  by 
standard  rewriting. 

;the  term  N’=N’  is  replaced  by: 

TRUE 

;the  term  -iMEMBER(X,U)aUNIQUENESS(U) AN<LENGTH  U3TRUE  is  replaced  by: 

TRUE 

;the  term  (UWIQUENESS(U)aN<LENGTH  UDFSTP0SITI0N(U,NTH(U,N))=N)DTRUE  is 
replaced  by: 

TRUE 

;the  term  TRUEaTRUEaTRUE  is  replaced  by: 

TRUE 

;the  term  VU  N  X.TRUE  is  replaced  by: 

TRUE 

;the  term  TRUED(VU  N. UNIQUENESS (U)aN<LENGTH  UDFSTP0SITI0N(U,NTH(U,N))=N) 
is  replaced  by: 

VU  N.UNIQUENESS(U)aN<LENGTH  UDFSTP0SITI0N(U,NTH(U,N))=N 
;VU  N. UNIQUENESS (U)aN<LENGTH  UDFSTP0SITI0N(U,NTH(U,N))=N 


□ 


2.10.  Injectivity  and  Uniqueness. 

We  already  pointed  out  that,  in  order  to  represent  the  property  ‘each  member  of  a  list  u  occurs 
just  once  in  the  list  u’,  we  can  use  either  the  recursively  defined  predicate  uniqueness 

Vu  X. uniqueness  nil  A 

(uniqueness (x .u)snmember(x ,u)Auniqueness(u) ) , 
or  the  predicate  inj,  defined  using  a  bounded  quantifier. 

; injectivity 

; another  predicate  for  uniqueness 
(proof  inj) 

(decl  (inj)  (type:  Iground-^truthval  I )) 

•  (define  inj 

iVu.inj  (u)=Vn  m.n<length(u)Am<length(u)Anth(u,n)='nth(u,m)Dn=m| ) 
(label  injdef ) 

The  proof  of  equivalence  of  the  two  predicates  can  be  found  in  the  .-Vppendi.x. 

VU . UNIQUENESS (U) sIN J (U) 

(label  uniqueness.inj activity) 

Clearly  the  predicate  uniqueness  is  more  convenient  in  a  proof  by  induction  on  lists.  .-In 
e.xaniple  is  the  previous  Lemma  Fstposition  Xih:  a  direct  proof  of 

VU  N.INJ(U)aN<LENGTH  UDFSTP0SITI0N(U,NTH(U,N))=N 
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2.11.  The  notions  of  Finite  Union  and  Finite  Sum. 


We  introduce  functions  that  perform  finite  sums  and  finite  unions,  i.e.  given  /:  N —  N.  tlie 
operation 

E  /(»*) 

m<n 

and  given  F:  A,  where  .4  is  a  collection  of  sets,  the  operation 

U  F(m). 

m  <  71 


The  recursively  defined  predicates  all  and  some  can  be  used  instead  of  the  bounded  quantifiers 
'Tor  all  in  <  ??,  a(77?.)'’  and  'Tor  some  in  <  n,  a(m).  The  proof  of  Pigeonfact  shows  an  effective  use 
of  all. 

(proof  sums) 

1.  (decl  allnum  (type:  |ground«@set-^truthval I ) 

(syntype :  constant) ) 

2.  (decl  somenum  (type:  lground®Qset-^truthval  | ) 

(syntype :  constant) ) 

3.  (decl  (numseq  f)  (type:  |ground-*ground| )) 

4.  (decl  sum  (type:  I (Qnumseq)® (0n)-*(Qn) 1 )  (syntype:  constant)) 

5.  (decl  setseq  (type:  |Qn*^@set|)) 

6.  (decl  un  (type:  | (@setseq)®(@n)->(@set) I )  (syntype:  constant)) 

; axiom  for  allnum 

7.  (defax  allnum  |Vn  a. allnum(0 ,a)A(allnum(n’ ,a)=a(n) Aallnum(n,a) ) I ) 

(label  allnumdef) 

; axiom  for  somenum 

8.  (defax  somenum  |Vn  a.-isomenum(0,a)A(somenum(n’ ,a)sa(n)vsomenum(n,a))  | ) 
(label  somenumdef) 

9.  (defax  sum 

|Vn  numseq. sum (numseq,0)=0 A 

sum(numseq,n’ )=sum(numseq,n)+numseq(n) I ) 

(label  sumdef) 

10.  (defax  un 

I Vn  setseq. un (setseq, 0)=empty set A 

un(setseq,n’ )=un(setseq,n)usetseq(n) I ) 

(label  undef) 

Finally  we  have  a  recursive  predicate  to  identify  finite  sequences  of  disjoint  sets. 
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9.  (decl  disj.pair  (type:  I  (@set«®set)-»truthval | )) 

10.  (define  disj.pair  |Va  b.disj_pair(a,b)=emptyp(anb) I) 

(label  disj_pair_def ) 

11.  (decl  disjoint  (type:  |  ((ground-*Qset)®ground)-*truthval|)) 

12.  (defax  disjoint 

|Vn  setseq. 

disjoint (sets6q,0)A 

disjoint (setseq, n’)*(disjoint(setseq,n)A 

disj_pair(un(setseq,n) ,setseq(n)) ) | ) 

(label  disjoint.def) 

The  following  line  gives  the  condition  for  sum  to  be  defined: 

;sumsort 

3.  (ue  (a  |An.allnum(n,Am.natnum  numseq(m))Dnatnum  sum(numseq,n) | ) 

proof .by_ induct ion  (open  allnum  sum)) 

: VN . ALLNUM (N , AM . NATNUM (NUMSEQ (M) ) ) DNATNUM(SUM (NUMSEQ , N) ) 

4.  (rw  ♦  (use  allnumfact  mode:  exact  direction:  reverse)) 

; VN . (VM . M<NDNATNUM (NUMSEQ (M) ) ) DNATNUM (SUM (NUMSEQ ,N) ) 

(label  simsort)  ■ 


2.12.  The  notion  of  Multiplicity. 


The  function  multAcounts  the  number  of  members  in  a  list  u  that  satisfy  the  preditate  a. 
(proof  multiplicity) 

1.  (decl  mult  (type:  I  (ground«®set)-*groundI )) 

2.  (defax  mult  |Vx  u  a. mult (nil, a) =0A 

mult(x.u,a)=if  a(x)  then  mult(u,a)’  else  mult(u,a)|) 

(label  mult.def) 

The  following  fact  about  multiplicity  is  easy  to  prove. 

3.  (ue  (phi  |Au.Va.natnum(mult(u,a)) I)  listinduction 

(use  mult.def  mode:  always)) 

(label  simpinfo)  (label  multfact)  ■ 

Lemma  2.8.  {Length  Mult) 

VU  A.MULT(U,A)<LENGTH  U 

Proof.  There  are  two  cases  in  the  inductive  step.  If  x  does  not  satisfies  a  then 

mult (x . u , a) =mult (u , a) <length(x . u) 
follows  from  the  definitions  and  the  induction  hypothesis. 
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Otherwise 

mult(x.u,a)<l6ngth(x.u) 

follows  from  the  definitions  and  the  induction  hypothesis  (using  SUCCESSORLESSEQ,  which  is  in 
simpinfo). 

multiplicity  is  lesseq  length 

; labels:  LESSEQ_LESSEQ_SUCC 
;VN  M.N<M3N<H’ 

; labels:  SIMPINFO  SUCCESSORFACTS  SUCCESSORLESSEQ 
;VN  M.N’<M’2N<M 

4.  (ue  (phi  |Au.mult(u,a)^length(u)  I )  listinduction 
(open  mult  length)  (use  lesseq_lesseq_succ) 

(part  1#1  (open  lesseq))) 

;VU.MULT(U,A)<LENGTH  U 
(label  length.mult)  ■ 


Lemma  2.9.  {Member  Mult) 

VU  Y  A.MEMBER(Y,U)aA(Y)D1<MULT(U,A) 

;if  there  is  a  member,  multiplicity  is  not  zero 

5.  (ue  (phi  lAu.Vy  a.member(y ,u)Aa(y)30<mult(u,a) I )  listinduction 

(open  mult  member)  (use  normal  mode:  always)) 

;VU  Y  A.MEMBER(Y,U)AA(Y)DO<MULT(U,A) 

6.  (rw  *  use  less.lesseqsucc  mode:  always)) 

;VU  Y  A.MEMBER(Y,U)aA(Y)31<MULT(U,A) 

(label  member _mult)  ■ 

Lemma  2.10.  (Mult  Nthcdr) 

VN  A  U.N<LENGTH  UDMULT(NTHCDR(U,N) , A)<MULT(U,A) 

Mult  Nthcde  is  only  slightly  more  difficult.  Line  8  is  needed  to  help  the  rewriter  in  line  9. 
The  problem  in  line  9  is  the  following:  we  want  to  expand  the  definition  of  mult  in  the  following 
argument  for  the  induction  step:  if  a(nth(u,n)),  then 

mult(nthcdr(u,n)  ,a)  =  mult(nth(u,n)  .nthcdr(u,n’)  ,a)  =  mult  (nthcdr  (u.n’ ),  a)  ’ 
otherwise 

mult  (nthcdr  (u,  n)  ,  a)  =  mult(nth(u,n)  .nthcdr(u,n’)  ,a)  =  mult  (nthcdr  (u.n  ’ )  ,a) 

But 

mult(nthcdr(u,n’)  ,a)  ’  <mult(u,a) 
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implies,  using  the  fact  Sitcc  Lesstq  Len.veq. 

mult(nthcdr(u,n’)  ,a)  <mult(u,a) 


Therefore,  in  both  cases 


mult(nthcdr(u,n) ,a)  <  multfu.a) 


implies 


mult(nthcdr(u,n’)  ,a)  <  mult(u,a). 


This  involves  a  combination  of  rewriting  and  logical  reasoning;  the  definition  of  mult  is  e.\- 
panded  into  a  if  ...  then  ...  el.se  form  and  the  instance  of  Succ  Lesseq  Lesseq  is  an  implication. 
We  help  EKL  by  giving  the  logical  step  described  above  as  a  separate  rewriter  (line  8)  using  Tr<in.'< 
Cond. 


; labels:  TRANS.COND 

;vp  q  r.(Q3R)a(if  p  then  q  else  R)DR 

; labels:  SUCC .LESSEQ .LESSEQ 
;VM  N.M’<NDM<N 

8.  (ue  ((q. |mult(nthcdr(u,n’) ,a) ’<mult(u,a) 1) 

(r . |mult(nthcdr(u,n’ ) ,a)<mult(u,a) 1 ) 

(p. |a(nth(u,n)) | )) 
trans.cond 

(use  succ.lesseq.lesseq 

ue;  ((m. |mult(nthcdr(u,n’) ,a) I ) 

(n. |mult(u,a) I ))  mode:  exact  )) 

;(IF  A(NTH(U.N))  THEN  MULT(NTHCDR(U,N' ) , A) ’<MULT(U,A) 

;  ELSE  MULT(NTHCDR(U,N’),A)<MULT(U,A))3 
; MULT ( NTHCDR (U , N ’ ) . A ) <MULT (U , A ) 

; conclusion 

9.  (ue  (a  lAn.Va  u.n<length(u)Dmult(nthcdr(u,n) ,a)<mult(u,a) I) 

proof .by. induct ion 

(part  1#1  (open  lesseq))  succ.less.less 

(part  1#2#1#1  (use  nthcdr_car.cdr  mode:  always)) 

(open  mult)  *  ) 

;VN  A  U.NCLENGTH  UDMULT(NTHCDR(U,N) , A)<MULT(U,A) 

(label  mult.nthcdr)  ■ 


;mult  emptyset 

(ue  (phi  I Au. mult (u, emptyset )=0 I )  listinduction 
(part  1  (open  emptyset  mult))) 

; VU . MULT (U . EMPTYSET ) =0 

(label  simpinfo)  (label  emptyfacts)  ■ 
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2.12.1.  Multiplicity  Implies  Injectivity. 


The  following  Lemma  embodies  the  main  use  of  the  notion  of  nuilliplicil ij.  If  the  number  of 
tlie  occurrences  of  every  riiember  of  a  list  v  is  1,  then  the  list  has  the  injectivity  property:  for 

i.j  <  length (v). 

nth(v,i)=nth(v, j)Di=j. 

We  use  the  following  fact:  if  nth(v,i)  =  nth(v,j  and  i<j,  then  the  multiplicity  of  the  set 
mkset  nth(v,i)  is  at  least  2. 

VV  I  J.I<JAJ<LENGTH  VaNTH(V,I)=NTH(V, J)D 
2<MULT(V,MKSET(NTH(V,I))) 

(label  multinj .computation) 

The  proof  of  Multinj  Computation,  a  consequence  of  the  lemmata  Nth  in  Nthcdrs.m\  Member  Mult, 
is  left  to  the  Appendix. 

Lemma  2.11.  (Mult  Inj) 

VV . (VK . K<LENGTH  VDMULT(V , MKSET(NTH(V , K) ) )=1 ) DIN J (V) 

Proof.  .A.t  lines  3  and  4  we  instantiate  Multinj  Computation  and  we  use  line  1  to  derive  that 
if  i  <  j  or  j  <  i,  then  2  <  1.  Now  we  exploit  semantic  attachment:  EKL  knows  that  2  <  1  and 
2  =  1  are  false.  An  application  of  the  trichotomy  concludes  the  proof. 

1.  (assume  |Vk.k<length  vDmult(v,mkset(nth(v,k) ) )=1 I ) 

(label  mil) 

2.  (assume  |i<length  vAj<length  vAnth(v,i)=nth(v, j) | ) 

(label  mi2) 

3.  (ue  ((v.v)(i.i)(j . j))  multinj .computat ion  mi2 

(use  mil  ue:  ((k.i))  mode:  exact)  (open  lesseq)) 

;deps:  (Mil  MI2) 

4.  (ue  ((v.v) (i. j) (j . i))  multinj .computation  mi2 

(use  mil  ue:  ((k.j))  mode:  exact)  (open  lesseq)) 

:iJ<I 

jdeps:  (Mil  MI2) 

5.  (derive  |i=jl  (trichotomy  *  -2)) 

;deps:  (Mil  MI2) 

6.  (ci  mi2) 

;I<LENGTH  VaKLENGTH  VaNTH(V,I)=NTH(V, J)DI=J 
;deps:  (Mil) 

7.  (trw  I inj  v|  (open  inj)  *  ) 

;INJ(V) 

;deps:  (Mil) 
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8.  (ci  mil) 

;(VK.K<LENGTH  VDMULT(V ,MKSET(NTH(V,K) ) )=1) DINJ(V) 
(label  mult^inj)  ■ 


2.12.2.  The  Multiplicity  of  a  Disjoint  Union  is  the  Sum  of  Multiplicities. 


Consider  a  list  and  two  sets  (say,  the  sets  of  occurrences  of  two  different  S-expressions  in  the 
list).  If  the  sets  are  disjoint,  then  the  sum  of  multiplicities  is  the  multiplicity  of  the  union  (Lemma 
Multsum).  Lemma  Multsum  generalizes  to  any  finite  sequence  of  disjoint  sets  (Lemma  Mult  of  Un 
is  Sum  Mult), 

Lemma  2.12.  (Multsum) 

VU.DISJ.PAIR(A,B)3MULT(U,AuB)=MULT(U,A)+MULT(U,B) 

Proof:  By  induction  on  u.  For  u  =  NIL,  all  values  of  mult  are  0.  Assume  the  result  for  u.  The 
assumption  that  a  and  b  are  a  disjoint  pair  of  sets  means  that  the  intersection  of  a  and  b  is  empty. 
If  not  X  G  a  and  not  x  G  b,  then  induction  hypothesis  gives  the  result.  If  either  x  G  a  or  x  G  b.  then 

mult(x.u,aub)  =  mult (u,aub)  *  =  (mult(u,a)+mult  (u,b))  ’  =  mult (x.u,a)+mult (x.u,b) 

-  the  induction  hypothesis  is  used  to  establish  the  second  equality. 

The  mechanical  proof  is  one  line  long: 

(proof  liiultsum) 

1.  (ue  (phi  |Au.  disj_pair(a,b)3mult (u,aUb)=mult (u,a)+mult (u,b)  1 ) 
listinduction 

(part  1  (open  mult  union  disj.pair  emptyp  intersection) 

(use  normal  mode:  always)) 

(part  1  (der))  ) 

(label  multsum)  ■ 

The  lemma  Multsum  is  used  in  the  induction  step  in  the  proof  of  the  next  fact: 

Lemma  2.13.  (  Mult  of  Un  is  Sum  Mult)  If  all  the  sets  of  the  sequence  setseq  are  pairwise  disjoint, 
then 

mult(^u,  [J  setseq(m)j  =  ^  multfu,  setseq(m))  : 

m<n  m<n 

VSETSEQ  U  N. DISJOINT (SETSEQ, N)D 

MULT (U , UN (SETSEQ , N ) ) =SUM ( AX 1 . MULT (U , SETSEQ ( X 1 ) ) . N) 

Proof.  By  induction  on  n.  For  n  =  0, 


setseq(m) 

7n<0 
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is  the  empty  set,  whose  multiplicity  is  0  (by  ‘simpinfo'),  and 

mult(u,  setseq(m)) 

m<0 

is  0  too. 

Assume  the  result  for  7^.  Now 

disjoint (set seq,n') 


implies 

disjpair(un(setseq,n) ,setseq(n)); 

this  implies,  using  MULTSUM 

mult^u,  [J  setseq(m)^  =  mult^u,  (J  setseq(7n)^  +  mult(u, setseq(7?.)), 

m  <  n'  m  <  n 

which  is,  by  definition  of  un  and  induction  hypothesis 

=  mult(u,setseq(m))  +  mult(u,setseq(n) )  =  ^  mult(u,setseq(7n) ) . 

m<n  Tn<n+1 

Here  the  mechanical  proof  is  again  one  line  long! 

(proof  mult.of _un_is_svun_mult) 

1.  (ue  (a  I  An. disjoint (setseq,n)D 

mult(u,un(setseq,n))®suin(Axl . mult (u, set seq(xl) )  ,n) I ) 
proof _by_ induct ion 

(open  disjoint  un  sum  mult  )  multfact 

(use  multsum  mode:  exact)  (use  normal  mode:  always)) 

;  VN .  DISJOINKSETSEQ  ,N)D 

; MULT ( U , UN ( SETSEQ , N ) ) =SUM ( AX 1 . MULT (U , SETSEQ ( X 1 ) ) , N ) 

(label  mult_of_un_is_sum_mult)  ■ 
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3.  Notions  of  Application. 


We  give  the  basic  facts  about  application,  injection  and  permutation  using  two  representations 
for  finite  functions:  functions  as  association  lists  and  functions  as  lists  of  numbers. 


3.1.  Function  Application  using  Association  Lists. 


Our  first  approach  uses  association  lists.  We  recall  the  recursive  definition  of  alist  (see  the 
.4ppendix)  and  present  the  main  definitions  (see  also  the  Introduction  1.5.2). 

55.  (decl  (alist)  (type:  ground)  (sort:  alistp)) 

56.  (axiom  iValist.  listp  alist |) 

(label  simpinfo) 

57.  (axiom  I Vu. alistp  u  =  (nnull  u  D 

natom  car  uAatom  car  (car  u)Aalistp(cdr  u))|) 

(label  alistdefl) 

58.  (axiom  iVxa  y  alist. alistp  nil  A  alistp  (xa.y) .alist I ) 

(label  alistdef)  (label  simpinfo) 

(wipe-out) 

(get-proofs  nth) 

(proof  appalist) 

1.  (decl  dom  (type:  1  GROUND-AGROUND | ) ) 

2.  (defax  dom  |Vxa  y  alist. dom  nil=nilA 

dom((xa.y) .alist)=xa.dom  alisti) 

(label  domdef) 

3.  (decl  range  (type:  | GROUND-aGROUND I ) ) 

4.  (defax  range  |Vxa  y  alist. range  nil*nilA 

range ((xa.y). alist ) -y . range  alist I ) 

(label  rangedef) 

5.  (decl  functp  (type:  I GROUND-aTRUTHVAL I  ) ) 

6.  (define  functp  IValist .functp(alist)suniqueness  dom(alist)l) 

(label  functdef) 

7.  (decl  injectp  (type:  I  GROUND-aTRUTHVAL  | ) ) 

8.  (define  injectp 

IValist. injectp(alist)sfunctp(alist)Auniqueness  range(alist) | ) 

(label  injectdef) 

9.  (decl  (appalist)  (type:  I ground«ground-Aground I ) ) 

10.  (define  appalist  iValist  y .appalist(y ,alist)=cdr  assoc(y, alist) | ) 

(label  appalistdef) 

Let  alisty  reprcNsent  the  function  /.  As  noticed  above,  dom(alisty)  and  range(alisty.)  do 
not  give  tlie  domain  and  the  range  of  /:  rather  they  Iht  the  domain  and  the  range  of  the  function 
in  the  ordering  given  by  the  association  list  alist/.  To  abstract  from  such  ordering  wc  u.se  tlie 


functional  mklset.  (Given  a  list  u,  inklset(u)  is  the  set  of  members  of  u — identified,  as  usual,  with 
the  predicate  Ax. member (x,u)). 

As  we  pointed  out  in  the  introduction,  the  same  function  can  be  represented  by  several  as¬ 
sociation  lists,  in  fact  by  the  equivalence  class  of  association  lists.  The  predicate  samemap  is  the 
appropriate  equivalence  relation:  two  association  lists  alistl  and  alist2  represent  the  same  map 

if 

(i)  they  are  'defined’  on  the  same  set,  i.e.  their  domains  are  the  same  as  sets,  and 

(ii)  for  all  y,  appalistCy, alistl)  =  appalist (y ,alist2),  i.e.  if  they  'map’  the  same  ele¬ 
ments  into  the  same  elements. 

Both  conditions  are  needed:  appalist (y,alist)  may  be  NIL  either  because  the  pair  (y.NIL) 
belongs  to  alist  or  because  y  does  not  belong  to  dom(alist);  we  do  not  want  to  identify  the  two 
cases. 

11.  (decl  (samemap)  (type:  | ground»ground->truthval  I  ) ) 

12.  (define  samemap 
(define  samemap 

iValist  alistl .samemap(alist, alist 1)h 

mklset  dom(alist)=mklset  dom(alistl)A 
(Vy.y€mklset  dom(alist)l 

appalist (y , alist ) =appalist (y , alistl) ) | ) 

(label  samemapdef) 

13.  (define  permutp  | Valist .permutp( alist )s 

functp(alist)Amklset(dom(alist))=mklset (range (alist)) | ) 

(label  permutp^def) 

14.  (axiom  | Vchi . chi(nil) A(Vxa  y  alist .chi(alist)3chi((xa.y) .alist))D 

(Valist .chi (alist)) I ) 

(label  alistinduction) 

Alist  Induction  is  easily  derivable  from  Listinduction  (see  the  Appendix). 

The  following  facts  are  very  easy  to  prove: 

(proof  alistfacts) 

;domsort 

1.  (ue  (chi  I Aalist .listp  dom(alist)l)  alistinduction  (open  dom)) 

; VALIST. LISTP  DOM (ALIST) 

(label  domsort) (label  simp info) 

;rangesort 

2.  (ue  (chi  | Aalist . listp  range(alist) I )  alistinduction  (open  range)) 

; VALIST. LISTP  RANGE( ALIST) 

(label  rangesort) (label  simpinfo) 

;domlength 

3.  (ue  (chi  I Aalist . length  dom  alist=length  alistl)  alistinduction 

(open  dom)) 
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IVALIST. LENGTH  (DOH(ALIST) )=LENGTH  ALIST 
(label  domlength) 

; domrangelength 

(ue  (chi  I Aalist.length(doin  alist)=length(range  alist)|) 
ali St induct ion 
(open  dom  range)) 

;VALIST. LENGTH  (DOM(ALIST) )=LENGTH  (RANGE(ALIST)) 

(label  domrangelength) 

;appalistsort 

(ue  (chi  lAALIST.SEXP  APPALIST(Y,ALIST) | ) 
alistinduction 

(part  1  (open  appalist  assoc))) 

;VALIST.SEXP  APPALIST (Y, ALIST) 

(label  appalistsort) (label  simpinfo) 

; trivial  appalist 

(ue  (chi  |Aalist.T(y€mklset  dom(alist) )Dappalist(y , alist)=nil | ) 
al i s  t induct ion 

(part  1  (open  epsilon  mklset  dom  appalist  assoc  member))) 

; VALIST . -iY6MKLSET(D0M(ALIST) ) DAPPALIST(Y ,ALIST)=NIL 
(label  trivial_appalist) 

sameraap  is  an  equivalence  relation: 

7.  (trw  I samemap(alist,alist) I (open  samemap)) 

;SAMEMAP( ALIST, ALIST) 

(label  samemap.equivalence) 

8.  (trw  |samemap(alist,alistl)3samemap(alistl,alist) I 

(open  samemap  mklset  dom)) 

; SAMEMAP (ALIST , ALISTl) DSAMEMAP ( ALISTl , ALIST) 

(label  sameraap.equivalence) 

9.  (trw  lsamemap(alist,alistl)Asamemap(alistl,alist2)3 

samemap (alist,alist2) I 
(open  samemap  mklset  dom)) 

; SAMEMAP ( ALIST , ALISTl ) aSAMEMAP (ALISTl . ALIST2) DSAMEMAP (ALIST . ALIST2) 

(label  samemap .equivalence) 

The  restriction  to  elements  of  the  domain  in  the  definition  of  appalist  is  not  necessary: 
appalist  has  a  default  value,  as  shown  in  the  line  Trivial  Appalist.  The  easy  proof  of  equivalence 
is  in  the  Appendix. 

10.  VALISTl  ALIST2. SAMEMAP (ALISTl, ALIST2) 5 

(MKLSET(D0M(ALIST1))=MKLSET(D0M(ALIST2))a 
(VX . APPALIST(X , ALIST1)=APPALIST (X , ALIST2) ) ) | ) 

(label  samemap.def 1) 
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3.2.  Function  Application  using  Lists  of  Numbers. 


Our  second  representation  of  functions  uses  lists  of  numbers. 

; definition  of  application 
(proof  appl) 

1.  (define  appl  |Vu  i .appl(u,i)=nth(u, i) I ) 

(label  appldef) 

;predicates  for  functions 

2.  (decl  (into)  (type;  I ground-*truthval I) ) 

3.  (define  into 

|Vu.into(u)=(Vn.n<length  uDnatnum  nth(u,n)Anth(u,n)<length  u)l) 

(label  intodef) 

4.  (decl  (onto)  (type:  | ground-*truthval I ) ) 

5.  (define  onto  | Vu.onto(u)=(into(u)A(Vn.n<length  uDmember(n,u) ) ) I ) 

(label  ontodef) 

6.  (decl  (perm)  (type:  | ground-*truthval I ) ) 

7.  (define  perm  | Vu.perm(u)=onto(u) I ) 

(label  permdef) 

Extensionality  is  proved  using  Doubleinduction.  To  do  the  inductive  step,  we  instantiate  twice 
the  assumption  of  line  3,  by  replacing  i  first  with  0  (line  4)  and  then  with  i’  (line  h). 

(proof  extensionality) 

(show  double induction) 

; labels:  DOUBLEINDUCTION 

;VPHI2.(VU  V  X  Y.PHI2(NIL,U)aPHI2(U,NIL)a(PHI2(U,V)DPHI2(X.U,Y.V)))D 
;  (VU  V.PHI2(U,V)) 

; first  attempt: 

0.  (ue  (phi2  |Au  v. length  u=length  vA 

(Vi.Klength  uDnth(u,i)=nth(v,i))3u=v|) 
doubleinduction  (open  nth) ) 

(VU  V  X  Y. (LENGTH  U=LENGTH  VA 

(VI.KLENGTH  VDNTH(U, I)=NTH(V,I) )3U=V)3 
(LENGTH  U=LENGTH  VA 

(VI.KLENGTH  V’DNTH(X.U,I)=NTH(Y.V,I))3X.U=Y.V))D 
(VU  V. LENGTH  U=LENGTH  Va(VI.KLENGTH  VDNTH(U,I)=NTH(V,I))3U=V) 


1.  (assume  ILENGTH  U=LENGTH  VA (VI . KLENGTH  V3NTH(U,I)=NTH(V,I)) DU=V 1 ) 
(label  extl) 

2.  (assume  ILENGTH  U=LENGTH  V|) 

(label  ext2) 

3.  (assume  | VI .I<LENGTH  V’ DNTH(X .U,I)=NTH(Y.V, I) I ) 
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(label  ext3) 

4.  (uG  (i  0)  *  ext2) 

;X=Y 

(label  ext4) 

;deps:  (EXT2  EXT3) 

5.  (ue  (i  li’l)  ext3  ext2) 

;I<LENGTH  VDNTH(U,I)=NTH(V,I) 

(label  extS) 

;deps:  (EXT2  EXT3) 

6.  (derive  |u=v|  (extl  ext2  extS)) 

(label  Gxt6) 

;deps:  (EXTl  EXT2  EXT3) 

7.  (trw  |x.u=y.v|  (use  ext4  ext6  mode:  exact)) 

;X.U=Y.V 

;deps:  (EXTl  EXT2  EXT3) 

8.  (ci  (ext2  ext3)) 

; LENGTH  U=LENGTH  Va ( VI . KLENGTH  UONTH(X.U,I)=NTH(Y.V.I))3X  U=Y  V 
;deps:  (EXTl) 

9.  (ci  extl) 

;(LENGTH  U=LENGTH  Va(VI . KLENGTH  UDNTH(U,I)=NTH(V.I))DU=V)3 
;(LENGTH  U=LENGTH  Va(VI . I<LENGTH  UONTH(X.U,I)=NTH(Y.V,I) )DX.U=Y.V) 

10.  (ue  (phi2  |Au  v. length  u=length  va 

(Vi . i<length  uDnth(u , i) =nth(v , i) )0u=v | ) 
double induct ion  (open  nth)  *  ) 

;VU  V. LENGTH  U=LENGTH  Va( VI. KLENGTH  VDNTH(U, I)=NTH(V, I))3U=V 
(label  extensionality)  ■ 

11.  (trw  iVu  i.Klength  u  3  sexp(appl(u,i))Amember(appl(u,i),u) | 

(open  appl)  nthmember) 

;VU  I.1<LENGTH  UDSEXP  APPL(U,I)aMEHBER(APPL(U,I) ,U) 

(label  simpinfo)  (label  applfacts)  ■ 


2.13.  Conclusion  of  Part  I. 


It  may  be  appropriate  to  conclude  the  first  part  by  some  remarks  and  guidelines  for  the 
heuristics  of  particular  proofs  of  EKL.  In  the  second  part  we  will  make  some  suggestions  how  to 
choose  among  mathematical  representations  and  linguistic  variants,  how  to  organize  the  proofs, 
how  to  break  them  into  lemmata  and  how  to  improve  the  efficiency  of  proofs. 

How  should  a  user  proceed? 

1.  First,  iV€  must  make  sure  that  we  understand  the  mathematical  notions  and  have  a  proof 
strategy  that  ivorks  on  paper.  In  particular: 

— If  a  proof  by  induction  is  needed,  EKL  will  not  give  hints  on  the  form  of  induction. 

— Even  if  the  result  follows  by  expanding  the  definitions  and  making  appropriate  substitutions, 
we  cannot  expect  the  rewriting  process  to  find  the  right  substitutions  by  itself 

As  a  proof  checker,  EKL  is  not  designed  to  cope  with  the  danger  of  combinatorial  explosion. 
EKL  commands  give  the  user  many  ways  to  control  and  direct  the  rewriting  process  according  to 
her  (his)  proof  strategy. 

2.  Two  methods  are  available  in  searching  for  a  proof. 

— Search  by  trial  and  error.  Try  to  obtain  a  proof  in  a  single  line.  If  this  does  not  succeed, 
use  the  output  of  EKL  to  establish  what  other  information  is  needed  and  try  again. 

— Expand  the  proof  using  explicitly  the  logic  decision  procedure  in  the  style  of  Natural  Deduc¬ 
tion.  This  is  safer,  but  time  consuming. 

3.  Suppose  tha^  according  to  the  first  alternative,  we  ask  EKL  to  rewrite  a  certain  formula  A 
to  true  (or  a  certain  term  t  to  f)  and  EKL  gives  instead  some  error  message  or  returns  A  =  J?  (or 
t  =  li).  The  output  of  EKL  and  the  form  of  B  (or  of  u)  always  give  useful  information.  Rewriting 
may  fail  because 

(i)  Type  conditions  are  not  satisfyed.  In  this  case  EKL  will  return  an  error  message.  There  may 
be  a  parsing  error.  Or  we  need  to  modify  some  definition.  Otherwise,  we  tried  to  prove  something 
that  cannot  be  expressed  by  EKL. 

(proof  foo) 

(trw  IpDpDpI) 

;P  is  unknown. 

; type-check:  3 

;does  not  apply  in  PDPDP 

;-it  currently  has  type  (TRUTHVAL®TRUTHVAL)-»TRUTHVAL 

1. 

(trw  If(f)l) 

;F00  started. 

1.  ;F  is  unknown. 

; type-check:  F 

;does  not  apply  in  F(F) 

;-it  currently  has  type  GROUND-AGROUND 
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(ii)  Sort  conditions  are  not  satisfied.  If  something  totally  obvious  didn't  work,  this  may  be  the 
reason.  A  sorted  language  is  more  flexible,  but  some  information  is  left  implicit.  To  check  sorts  is 
of  course  an  essential  step:  it  amounts  to  check  that  a  term  has  the  intended  meaning  or  that  a 
function  is  defined  for  the  given  argument. 

(proof  foo) 

1.  (decl  (m  n)  (type:  ground)  (sort:  natnum)) 

2.  (decl  plus  (type:  | ground«ground*-*groimd | ) 

(infixname:  |+1)  (bindingpower :  930)) 

3.  (decl  (f)  (type:  I  ground-aground  I ) ) 

4.  (define  f  |Vn.f(n)=l|) 

5.  (decl  (g)  (type:  | groimd-»groimd | ) ) 

6.  (define  g  |Vn.g(n)=n|) 

7.  (trw  |f(f(n)+l)|  (open  f)) 

;F(F(N)+1)=1 

8.  (trw  |f(g(n)+l)|  (open  f  g)) 

;F(G(N)+1)=F(N+1) 

What’s  wrong  here?  Of  course  we  have  forgotten  the  information  that  n+1  is  of  the  sort  natnum, 
so  in  line  8  the  rewriting  cannot  continue.  As  soon  as  this  information  is  available,  the  rewriting  is 
completed  (line  10). 

9.  (axiom  | Vn. natnum  (n+1) I ) 

(label  simpinfo) 

10.  (trw  |f(g(n)+l)l  (open  f  g)) 

;F(G(N)+1)=1 

One  may  wonder  why  the  rewriter  was  successful  in  line  7.  Although  we  have  not  defined  plus, 
by  semantic  attachment  1+1  has  its  intended  meaning  and  natnum(2)  is  true. 

(setq  rewritemessages  t) 

7.  (trw  |f(f(n)+l)|  (open  f)) 

;the  term  F(N)  is  replaced  by: 

1 

;the  term  1+1  is  replaced  by: 

2 

;the  term  F(2)  is  replaced  by: 

1 

;F(F(N)+1)=1 

(iii)  There  are  conditions  on  the  rewriting  that  are  not  satisfied.  Often  the  conditions  are 
satisfied,  but  cannot  be  verified  directly  by  EKL  decision  procedure  and  we  need  to  construct  an 
additional  rewriter.  (See  Example  5.) 

(iv)  The  use  of  a  line  is  blocked,  because  we  are  rewriting  in  mode:  exact.  In  this  case  we 
may  try  the  same  rewriting  in  mode:  always.  If  the  rewriter  mode:  always  causes  an  infinite  loo]). 
then  e.xpanding  the  proof  may  be  our  only  choice. 
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(v)  The  expression  produced  by  the  rewriting  is  not  simpler,  and  we  are  rewriting  in  the  default 
mode.  For  instance,  at  line  12  the  line  line  is  not  applied  when  rewriting  in  default  mode,  since 
the  expression  g(g(n))  resulting  from  its  application  would  be  more  complex  than  f  (x).  Here  it 
is  enough  to  specify  the  mode  of  the  rewriting  (line  13). 

11.  (assume  If (x)=g(g(n)) I) 

(label  line) 

12.  (trw  |f(x)|  line  (open  g)) 

;F(X)*F(X) 

;deps:  (LINE) 

13.  (trw  |f(x)|  (use  line  mode:  exact)(open  g)) 

;F(X)=N 

;deps:  (LINE) 

(vi)  The  line  is  not  applicable,  because  of  a  confict  of  context. 

14.  (define  g  |Vx .g(x)=f (x) I ) 

(label  gdef) 

15.  (trw  lg(x)|  (open  g)  line) 

; context  of  line  GDEF  cannot  be  adjoined;  the  atom  G  in  line  GDEF  has 
two  definitions:  one  from  line  6  and  the  other  from  GDEF 


4.  The  following  is  a  nontrivial  example,  in  which  there  is  additional  logical  structure  to  be 
considered  iir  rewriting.  We  consider  the  proof  of  Lemma  2.10  Mult  Nthcdr,  Section  2.12.  Here  the 
rewriting  line  is  found  by  interaction  with  EKL,  and  from  this  rather  involved  expression  a  general 
‘propositional  schema’  is  abstracted,  to  be  used  in  similar  contexts. 

Example  5. 

VN  A  U.N<LENGTH  UDMULT(NTHCDR(U,N) , A)<MULT(U,A) 

This  is  a  statement  about  the  sublists  of  a  given  list  u  formulated  in  terms  of  the  function 
nthcdr.  It  may  be  convenient  to  use  a  proof  by  induction  on  n.  In  the  base  case,  since  nthcdr  (u,0) 
is  u,  EKL  has  to  know  only  what  nthcdr  and  <  mean.  It  is  enough,  therefore,  to  say  (open  lesseq) 
in  the  part  of  the  induction  axiom  corresponding  to  the  base  case  (the  definition  of  nthcdr  is  in 
simp  info).  To  do  the  induction  step  one  can  formalize  the  informal  argument  given  in  the  text, 
assuming 

n<length  uDmult(nthcdr(u,n) ,a)<mult(u,a) 
and  deriving 

n’<length  uDmult (nthcdr (u,n’) ,a)<mult(u,a) 

To  avoid  an  explicit  proof,  we  notice  that  we  can  easily  induce  EKL  to  rewrite  the  inductive 
step  as 


(N<LENGTH  UDMULT(NTH(U,N) .NTHCDR(U,N’) ,A)<MULT(U,A))D 
(N’<LENGTH  UDMULT(NTHCDR(U,N’) ,A)<MULT(U,A)) 
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Tlien  mult  is  expanded  and  the  conditional  clause  is  pushed  out:  hence  the  same  line  rewrites  to 

(N<LENGTH  UD 

(IF  A(NTH(U,N)) 

THEN  MULT(NTHCDR(U,N’ ) ,A) ’ <MULT(U.A) 

ELSE  MULT(NTHCDR(U,N’),A)<MULT(U.A)))D 
(N><LENGTH  UDMULT(NTHCDR(U,N’) .A)<MULT(U,A))  . 

This  is  not  very  perspicuous.  The  key  point  is  to  realize  that  the  structure  of  the  logical  argument 
can  be  summarized  in  the  formula  Trans  Cond: 

VP  Q  R.(QDR)a(IF  P  then  q  else  R)DR, 


where  Q  is 


mult(nthcdr(u,n’) ,a) ’<mult(u,a) , 


where  R  is 


mult (nthcdr (u , n ’ ) , a) <mult (u , a) , 


and  P  is 


a(nth(u,n) ). 


Clearly  QDR  follows  from  elementary  arithmetic  (fact  Succ  Lesseq  Lesseq).  To  do  the  inductive 
argument  in  one  step  we  need  only  prepare  one  rewriter  (line  8  in  the  text): 

(IF  A(NTH(U,N)) 

THEN  MULT(NTHCDR(U,N’).A)><MULT(U,A) 

ELSE  MULT(NTHCDR(U,N’) ,A)<MULT(U,A))D 
MULT(NTHCD&g[J ,  N  ’ ) ,  A)  <MULT(U.  A) 

and  use  the  following  fact  of  elementary  arithmetic  (Succ  Less  Less): 


N’<LENGTH  UDN<LENGTH  U 

The  simplification  of  this  proof  is  certainly  worth  the  effort.  Indeed  the  argument  used  here  is 
quite  common  in  proofs  about  recursively  defined  objects.  There  is  a  good  chance  that  the  rewriter 
Trans  Cond  may  be  applied  in  similar  cases.  □ 


5.  Finally  it  may  be  the  case  that,  despite  our  attempts,  we  cannot  find  by  trial  and  error  the 
appropriate  rewriter.  Then  we  expand  our  proof  in  a  ‘Natural  Deduction  style':  e.g.  in  a  proof  by 
induction  we  try  to  prove  the  base  case,  we  assume  the  induction  hypothesis  and  try  to  prove  the 
conclusion  of  the  inductive  step.  If  the  latter  is  in  turn  an  implication,  we  assunie  the  antecedent 
etc.  In  the  process,  we  may  expand  definitions,  perform  substitutions,  etc.  Moreover,  we  may  need 
to  prove  other  lemmata  also  by  induction.  The  process  is  not  easily  described  in  general  terms,  since 
there  is  no  general  analysis  of  higher  order  inductive  proofs  in  Natural  Deduction,  as  we  remarked 
earlier.  In  practice  it  is  quite  clear  what  to  do.  although  several  options  may  be  open,  especially 
when  we  are  engaged  in  a  proof  by  contradiction. 


6.  Once  the  derivation  is  found  we  may  try  to  collapse  it  in  few  steps.  For  example,  it  may 
may  be  clear  which  formulas  could  be  taken  as  rewriters. 

In  trying  to  replace  logical  deduction  by  rewriting,  we  find  some  steps  harder  to  handle  tlian 
others.  ' 
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(i)  A  line  resulting  from  the  cases  command,  i.e.  the  conclusion  of  a  proof  by  cases,  corre¬ 
sponds  to  rewriting  a  disjunction  in  the  antecedent  of  an  implication.  This  can  be  handled  by  using 
the  rewriter  NORMAL  as  explained  in  Example  1. 

(ii)  Argument  by  contradiction  and  steps  involving  negation  may  require  some  help.  For 
instance,  although  EKL  can  easily  derive  D  -n/l  from  A  D  B,  ii  may  not  do  this  step  in  the 
context  of  conditional  rewriting. 

(Hi)  Quantifiers  may  require  additional  lines,  in  particular  the  existential  one.  If  the  t'esuU 
involves  a  hound  quantifier,  it  may  be  convenient  to  replace  it  by  a  recursively  defined  predicate. 
For  instance 

Vm.m<n3A(m),  3m.m<nAA(m),  Vx  .member  (x  ,u)3A(x),  3x.  member  (x,u)aA(x). 

are  equivalent  to  the  recursive  predicates 

allnum(n, Am. A(m) ),  somenum(n, Am. A(m) ),  allp(Ax . A(x)  ,u),  somep(Ax. A(x)  ,u). 

In  the  context  of  inductive  proofs,  it  is  convenient  to  formulate  the  result  by  using  the  recursive 
predicate  and  prove  this  formula  first.  This  method  is  presented  in  Examples  6  and  7. 

The  proof  of  Fstposition  Nth.,  already  examined  in  Example  4,  Section  2.9  ,  is  an  instance  of 
the  process  of  collapsing  a  long  proof  in  few  lines.  First  of  all,  in  later  applications  we  use 

(★)  VU  N.INJ(U)AN<LENGTH  U3FSTP0SITI0N(U,NTH(U,N) )=N 

rather  than 

(★★)  VU  N. UNIQUENESS (U)AN<LENGTH  U3FSTP0SITI0N(U,NTH(U,N) )=N 

and  we  may  be  tempted  to  prove  directly  (★).  inj  and  uniqueness  are  equivalent  predicates,  but 
the  latter  is  a  recursively  defined  predicate,  whereas  the  former  has  an  explicit  definition  using 
quantifiers.  In  the  spirit  of  our  suggestion  (Hi),  we  should  try  a  proof  of  (★★)  and  indeed  we  find 
one  four  lines  long.  Moreover,  notice  that  we  derive  line  3  of  the  proof  from  line  2,  to  allows  the 
use  of  nx=nth(u,n),  a  negative  formula,  in  rewriting.  This  is  in  accordance  to  our  suggestion  (ii). 
Looking  at  the  proof,  it  is  completely  clear  that  line  3  will  do  the  job,  by  considering  its  effects  of 
the  rewriting  of  line  4.  But  the  form  of  3  or  the  possibility  of  proving  it  in  two  steps  may  not  have 
occurred  to  us  at  first  sight,  before  a  more  detailed  proof. 

In  conclusion,  one  learns  to  control  the  rewriting  process  of  EKL  by  trial  and  error:  it  may 
be  necessary  first  to  write  some  explicit  proofs  in  order  to  understand  with  total  clarity  the  single 
step  of  rewriting.  Then  one  may  succeed  in  collapsing  the  proof  into  a  single  step,  using  a  suitable 
line  to  reduce  logical  inferences  to  steps  of  rewriting.  Several  proofs  in  this  paper  were  obtained  in 
this  way  and  some  more  may  be  reduced  to  a  few  lines  with  some  additional  effort.  To  make  the 
proofs  shorter  doesn't  mean  to  make  them  clearer.  As  in  informal  mathematical  presentations,  a 
balance  has  to  be  found  between  the  necessity  of  formal  precision  and  the  need  for  clarity.  One 
has  to  admit,  however,  that  at  the  present  stage  it  is  premature  to  worry  about  mechanical  proofs 
being  too  concise. 
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PART  2 


Section  4 


4.  The  Pigeon  Hole  Principle. 


In  this  section  we  prove  the  Pigeon  Hole  principle  in  second  order  arithmetic  and  apply  it  to 
show  that  every  finite  surjection  is  an  injection,  in  our  two  representations. 


4.1.  The  Pigeon  Hole  Principle  in  Second  Order  Arithmetic. 

Theorem.  (  Pigeonfact) 

VF.(VN.NATNUM(F(N)))D 

(VN . (VM . M<ND1<F (M) ) ASUM(AK . F(K) ,N)=ND (VM . M<ND 1=F (M) ) ) 

We  give  two  versions  of  the  proof.  In  the  former  we  prove  directly 

VF  N.  (VM.M<N31<F(M))aSUM(AK.F(K)  ,N)<N3(VM.M<N31=F(M) ); 

the  presence  of  quantifiers  requires  a  proof  in  the  style  of  Natural  Deduction. 

In  the  latter  we  assume  VN.NATNUM  F(N)  and  we  prove 

VN.ALLNUM(N,AK.1<F(K))aSUM(AK.F(K),N)=NDALLNUM(N,AK.1=F(K)); 

the  use  of  the  reciisively  defined  predicate  allnum  allows  a  straightforward  proof  by  induction. 

First  Proof.  W'e  need  a  preliminary  fact:  if  /  is  defined  and  has  positive  values  on  0, ....  n  —  1, 
then  the  function 

X]  /(”0 

m  <n 

is  strictly  increasing.  The  proof  is  a  straightforward  induction,  using  in  the  induction  step  the 
lemma  Add  Lesseq  (line  7). 

(wipe-out) 

(get -proofs  sums) 

(proof  pigeonfact) 

1.  (assume  |  (Vm.m<n3natnum  f  (m)Al<f  (m))Dn<sum(Ak.f  (k)  ,n)  I ) 

(label  si^indhyp) 

2.  (assume  |  Vm.m<nOnatnum  f  (m) Al<f  (m)  I ) 

(label  si_hyp) 

3.  (trw  I Vm.m<n3natnum  f (m)Al<f (m) I 

(♦  transitivity. of .order  successorl)) 

;VM.M<N3NATNUM(F(M))a1<F(M) 

(label  sil) 

4.  (ue  ((numseq. I Ak.f (k) I) (n.n))  sumsort  ♦  ) 

;NATNUM(SUM(AK.F(K),N)) 

(label  sisort) 
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5.  (derive  ln<sum(Ak.f (k) ,n) I (sil  si.indhyp)) 
(label  si2) 

6.  (ue  (m  n)  si_hyp  successorl) 
;NATNUM(F(N))a1<F(N) 

(label  si3) 

;deps:  (SI.HYP) 

We  need  Add  Lesseq: 


; labels:  ADD.LESSEQ 
;VN  M.N<MAl<KDN’<M+K 

7.  (ue  ((n.n) (k. If (n) I) (m. |sim(Ak.f (k) ,n) I )) 

add.lesseq  (sisort  si2  si3)) 

;N’<SUM(AK.F(K),N)+F(N) 

;deps:  (SI.INDHYP  SI.HYP) 

8.  (ci  si.hyp) 

;(VM.M<N’DNATMUM(F(M))a1<F(M))DW><SUM(AK.F(K).N)+F(N) 
jdeps:  (SI.INDHYP) 

9.  (ci  si.indhyp) 

;((VM.M<N3NATNUM(F(M))A1<F(M))DN<SUM(AK.F(K) ,N))D 
;((VM.H<N’DNATNUM(F(M))a1<F(M))DN’<SUM(AK.F(K),N)+F(N)) 

10.  (ue  (a  I  An.  (Vm.in<n3natnimi  f  (m)Al<f  (ni))3n<suni(Ak.f  (k)  ,n)  | ) 

proof .by. induction 

(open  sum)  zeroleast  (use  *  mode:  always)) 
.•VN.(VM.M<NDNATNUM(F(M))a1<F(M))3N<SUM(AK.F(K)  ,N) 

(label  strictly.increasing) 


Next  we  want  to  show  that  if  the  values  of  /  are  greater  than  or  equal 
the  value  of 


n— 1 


/(^) 


to  1  and,  in  addition. 


is  bounded  by  n,  then  the  values  of  /  must  be  equal  to  1. 

The  proof  is  another  simple  induction,  using  in  the  induction  step  the  lemma  Add  One  (line 
19). 


;use 

; labels:  ADD. ONE 

;(AXI0M  IVK  N  H.ISK  A  N’=M+K  A  N<M  0  1=K  A  N=M|) 

We  will  replace  f  (n)  for  k  and  sum(Ak.f  (k)  ,n)  for  m.  Lines  15,  17  and  18  are  all  the  conditions 
in  the  antecedent  of  the  Lemma  to  apply  the  lemma.  At  line  18  we  use  the  first  part  Strictly 
Increasing. 
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; other  direction 

11.  (assume  1 (Vm.m<nDnatnum  f (m)Al<f (m))Asum(Ak.f (k) ,n)=n3(Vta.m<n31=f (m) ) | ) 
(label  pfindhyp) 

12.  (assume  |Vta.m<n’Dnatnum  f (m)Al<f (m) I ) 

(label  pf.assume) 

13.  (derive  |Vta.m<n3natnum  f (m)Al<f (m) I 

(pf .assume  transitivity.of .order  successorl)) 

(label  pfO) 

14.  (ue  ((numseq. lAk.f (k) |)(n.n))  sumsort  ♦  ) 

;NATNUH(SUM(AK.F(K),N)) 

(label  pfsort) 

;deps:  (PF.ASSUME) 

The  following  is  the  first  fact  needed  for  the  application  of  the  lemma  Add  One  We  obtain  it 
as  an  immediate  consequence  of  the  assumption  of  the  inductive  step. 

15.  (ue  (m  n)  pf. assume  successorl) 

;NATNUM(F(N))a1<F(N) 

(label  pfl) 

;deps:  (PF.ASSUME) 

The  second  fact, 

n~l 

n'  =  ^  /(m)  +  /(n), 

m=0 

is  also  an  assumption  of  the  inductive  step. 

16.  (assume  lsum(Ak.f (k) ,n’)=n’ |) 

(label  pf. assume) 

17.  (rw  *  (open  sum)) 

;SUM(AK.F(K),N)+F(N)=N’ 

(label  pf2) 

;deps:  (PF.ASSUME) 

The  third  fact, 

n— 1 

n< 

m=0 

is  a  direct  consequence  of  Strictly  Increasing. 

18.  (derive  |n<sum(Ak.f (k) ,n) I  (strictly.increasing  pfO  pfsort)) 

(label  pf3) 

;deps:  (PF.ASSUME) 

19.  (ue  ((k. |f(n) I)(n.n)(m. |sum(Ak.f (k) ,n) D)  add.one 

(pfl  pf2  pf3  pfsort)) 

;1=F(N)aN=SUM(AK.F(K) ,N) 

(label  pf4) 

;deps:  (PF.ASSUME) 
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VVe  use  the  second  conjunct  to  apply  the  induction  hypothesis. 

20.  (derive  |Vm.in<n31=f  (m)  I  (pfindhyp  pfO  *  )) 

(label  pfS) 

;deps:  (PF. ASSUME  PFINDHYP) 

21.  (derive  ln0=nDl=F(n0) |  pf4) 

;deps:  (PF.ASSUME) 

22.  (trw  I Vm.m<n’ Dl=f (m) I  (use  less_succ_lesseq  mode:  exact) 

(open  lesseq)  (use  normal  mode:  always)  pfS  *  ) 

;VM.M<N’D1=F(M) 

;deps:  (PF.ASSUME  PFINDHYP) 

23.  (ci  pf .assume) 

; ( VM . M<N » DNATNUM (F (M) ) A 1 <F (M) ) ASUM( AK . F (K) , N ’ ) =N O (VM . M<N ' D 1=F (M) ) 
;deps:  (PFINDHYP) 

24.  (ci  pfindhyp) 

25.  (ue  (a  |An. (Vm.m<nDnatnum  f (m)Al<f (m))Asum(Ak.f (k) ,n)=nD 

(Vm.m<nDl=f (m))  |) 
proof.by.induction  *  ) 

;VN. (VM.M<NDNATNUM(F(M))a1<F(M))aSUM(AK.F(K) .N)=N3(VM.M<ND1=F(M)) 
Check  that  the  result  holds  for  any  /: 

26.  (trw  |Vf  n. (\to.m<n3natnum  f (m)Al<f (m))Asum(Ak.f (k) ,n)=n3 

(Vm.m<nDl=f (m)) I  *  ) 

;VF  N. (VH.M<NDNATNUM(F(H))a1<F(M))aSUM(AK.F(K) .N)=ND 
;  (VM.M<ND1pF(M)) 

(label  pigeonfact)  ■ 


Second  Proof.  Using  the  inductive  predicate  allnum  instead  of  quantifiers,  the  theorem 
proved  very  quickly. 

(wipe-out) 

(get -proofs  sums) 

(proof  pigeonfact) 

1.  (assume  iVn.natnum  f (n) | ) 

(label  sortl) 

2.  (ue  ((numseq. I Ak.f (k) I ) (n.n))  sumsort  *  ) 

;NATNUM(SUM(AK.F(K).N)) 

(label  sort2) 

3.  (ue  (a  lAn.allnum(n,Ak.l<f(k))Dn<sum(Ak.f (k) ,n) I) 

proof.by.induction 

(open  allnum  sum)  zeroleast  (use  sortl  sort2  mode:  always) 

(use  add.lesseq 

ue:  ((n.n) (k . If (n) 1 ) (m. I sum(Ak.f (k) ,n) I ))  )) 

(label  strictly.increasing) 
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;VN.ALLNUM(N,AK.1<F(K))3N<SUM(AK.F(K) ,N) 

;deps:  (SORTl) 

4.  (ue  (a  |An.allnuin(n,Ak.l<f (k))Asum(Ak.f (k) ,n)=n3 

allnuin(n,Ak.  l=f  (k))  |  ) 
proof _by_induction 

(open  allnum  sum)  strictly_increasing  sortl  sort2 
(use  add.one 

ue:  ((k. If (n) I ) (n.n) (m. |sum(Ak.f (k) ,n) I ))  mode:  always)) 
;VN.ALLNUM(N,AK.1<F(K))aSUH(AK.F(K),N)=NDALLNUM(N,AK.1=F(K)) 

;in  more  conventional  notation: 

5.  (rw  *  (use  allnumfact  ue:  ((a. | Ak. l<f (k) | ) (n.n) ) 

mode:  always  direction:  reverse) 

(use  cillnumfact  ue:  ((a.  |Ak.  l=f  (k)  |)  (n.n)) 
mode:  always  direction:  reverse)) 

:VN. (VM.M<N31<F(M))aSUM(AK.F(K),N)=N3(VH.M<ND1=F(M)) 

;deps:  (SORTl) 

6.  (ci  sortl) 

: (vn.natnum(f(n)))3 

:(VN. (VM.M<ND1<F(M))aSUM(AK.F(K),N)=N3(VH.M<ND1=F(M))) 

(label  pigeonfact)  ■ 


Remark.  Example  6.  Let  us  consider  the  heuristics  of  this  theorem.  If  we  formulate  Strirlltj 
Increasing  using  the  inductive  predicate  ‘allnum’,  and  expand  the  definitions  we  obtain: 

0.  (ue  (a  I An.allnum(n,Ak.natnum  f (k)Al<f (k))3n<sum(Ak.f (k) ,n) I ) 
proof _by_induction  (open  allnum  sum)) 

;0<0a 

;(VN.(ALLMUM(N,AK.NATNUM(F(K))a1<F(K))DN<SUM(AK.F(K),N))D 
:  (NATNUM(F(N))A1<F(N)aALLNUM(N,AK.NATNUM(F(K))a1<F(K))D 

;  N’<SUM(AK.F(K),N)+F(N)))D 

;(VN.ALLNUM(N,AK.NATNUM(F(K))a1<F(K))DN<SUM(AK.F(K) ,N)) 

The  main  point  is  to  formulate  the  fact  Add  Lesseq.  In  other  words,  we  must  recognize  that  the 
following  line  would  do  the  job  (once  we  guarantee  that  f  (n)  and  sum(Ak.f  (k)  ,n)  are  natural 
numbers). 

0.  (ue  ((n.n) (k. If (n) I) (m. |sum(Ak.f (k) ,n) I ))  add.lesseq) 

; NATNUM ( F ( N ) ) AN ATNUM ( SUM ( AK . F ( K ) , N ) )  3 
;(N<SUM(AK.F(K),N)A1<F(N)3N’<SUM(AK.F(K),N)+F(N)) 


Similarly,  the  theorem  is: 

0.  (ue  (a  I An.allnum(n,Ak.natnum  f (k)Al<f (k))Asum(Ak.f (k) ,n)=n3 
allnum(n,Ak. l=f (k) ) 1 ) 
proof _by_ induction  (open  allnum  sum)) 
;(VN.(ALLNUM(N,AK.NATNUM(F(K))a1<F(K))a 
;  SUM(AK.F(K) ,N)=N3ALLNUM(N,AK. 1=F(K)))3 
;  (NATNUM(F(N))a1<F(N)aALLNUM(N,AK.NATNUM(F(K))a1<F(K))a 
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;  SUM(AK.F(K),N)+F(N)=N'D1=F(N)aALLNUM(N,AK.1=F(K))))D 
;(VN.ALLNUM(N,AK.NATNUM(F(K))A1<F(K))aSUM(AK.F(K) ,N)=ND 
;  ALLNUM(N,AK.1=F(K))) 


Again  the  key  idea  is  the  fact  Add  One.  We  need  only  to  construct  the  following  line  as  a  rewriter 
(and  make  sure  that  f  (n)  and  sum(Ak.f  (k)  ,n)  are  natural  numbers). 

0.  (ue  ((k. If (n) I ) (n.n) (m. lsum(Ak.f (k) ,n) I ))  add_one) 

; N ATNUM (F (N ) ) ANATNUM (SUM ( AK . F (K) , N) ) D 
;(1<F(N)aSUH(AK.F(K) ,N)+F(N)=N’AN<SUM(AK.F(K) ,N)D 

:  i=f(n)an*=sum(ak.f(k),n)) 

.4  priori,  it  may  seem  irrelevant  for  our  capacity  of  discovering  the  appropriate  steps  whether  these 
facts  are  expressed  by  bound  quantifiers  or  by  recursive  predicates.  Intuitively,  we  can  say  that  the 
second  representation  helps  us  to  ‘think  recursively’  and  to  focus  our  attention  towards  the  right 
inductive  step.  The  mechanization  of  the  proof  makes  it  clear  that  the  second  representation  is 
indeed  more  economical  and  gives  more  precise  content  to  our  intuition.  O 


4.2.  Corollary  for  Application  to  Lists. 

.4s  an  application  we  prove  the  following  corollary.  Let  {ai,...,a„}  be  a  sequence  of  pairwise 
disjoint  sets,  given  by  the  functional  Am.setseq(ni)  and  let  w  be  any  list  of  length  n. 

If  the  function  we  consider  associates  any  set  a;  with  the  number  of  occurrences  in  w  of  elements 
of  a,:,  then  we  can  certainly  define  it  as  a  total  function  and  the  sum  of  the  values  is  certainly  bound 
by  n,  the  length  of  w.  In  our  terminology: 

Corollary.  ( Pigeonlist) 

VU.DISJOINKSETSEQ, LENGTH  U)D 

( (VM . M<LENGTH  UD 1 <MULT (U , SETSEQ (M ) ) ) D 
(VM . MCLENGTH  U31=MULT(U, SETSEQ (M) ) ) ) 

Proof  Consider  the  function  Ak.mult(w,setseq(k)  )  from  N  to  N. 


(1) 


AA:.mult(w,setseq(fc) ) 


is  a  total  function.  This  is  certainly  true,  no  matter  what  setseq  is  by  definition  of  mult  (see 
Mxdtfact). 

Since  the  sets  setseq(i),  for  i  <  length(w),  are  pairwise  di.sjoint,  then 

mult(w,setseq(m))  <  [J  setseq(/) 

m<length{w)  i<iength{w) 

by  the  Lemma  A,"!. [Mult  of  Un  is  Sum  Mult).  Also  by  the  Lemma  2.8.  {Length  Mult) 


setseqCO  <  lengtli{^). 

i<le7igth{  ttt) 


Therefore 


(•2) 


E 


mult(w,setseq(/?7))  <  length(w) 


m<,lengtk{w) 


Hence  we  can  apply  the  Theorem  Pigeonfact  to  obtain  the  Corollary, 
(proof  pigeonlist) 

1.  (assume  |disjoint(setseq, length  w) |) 

(label  pll) 

;multiplicity  less  than  length 

2.  (ue  ((u.w) (a. |un(setseq,length  w) I ))  length.mult) 

; MULT (U, UN (SETSEQ, LENGTH  U))<LENGTH  U 

(label  pl2) 

3.  (derive  |sum(Am.mult(w,setseq(m)) .length  w)<length  w| 

(mult_of _un_is_sum_mult  pll  pl2)) 

(label  pl3) 

4.  (ue  ((f . I Am.mult(u,setseq(m)) I ) (n. Ilength  u| ))  pigeonfact 

pl3  multfact) 

;(VM.M<LENGTH  UDl<MULT(U,SETSEq(M)))D 
; ( VM . M<LENGTH  UD 1 =MULT (U , SETSEQ ( K ) ) ) 

;deps;  (PLl) 

;the  pigeon  hole  principle  on  lists 

5.  (ci  pll) 

;DISJOINT(SETSEQ, LENGTH  U)D 
; ( (VM . M<LENGTH  UD 1 <MULT (U , SETSEQ (M) ) ) 3 
;  (VM.M<LENGTH  UD 1=MULT(U, SETSEQ (K) )) ) 

(label  pigeonlist)  ■ 


4.3.  Application  of  the  Pigeon  Hole  Principle  to  Lists. 

Having  proved  the  Pigon  Hol6  Principle,  we  will  conclude  that  every  map  /  of  a  finite  set 
.4  onto  itself  is  an  injection,  using  our  two  different  representations  of  finite  functions.  VVe  could 
formalize  the  informal  proof,  given  as  a  Lemma  in  the  Introduction,  Section  1.4.  Actually,  we 
could  prove  a  more  general  result  for  surjective  mappings  /  :  A  —  B  between  finite  sets  of  t  he  same 
cardinality.  (The  mechanical  proof  is  described  as  Example  10  in  the  Conclusion.)  (This  a|)|)roach 
is  described  as  Example  10  in  the  Conclusion.) 

By  restricting  ourselves  to  permutations,  we  can  slightly  simplify  our  proof  as  follows. 

—  First,  let 
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be  an  enumeration  without  repetition  of  the  set  (lon)ain(f)  and  lei  v  be  the  list 

(yi-yj 

where 

Vj  = 

for  some  i.  v  lists  rrin(jc(f).  possibly  with  repetitions.  Finally,  con-sider  the  sequence  of  sots 

. 

These  sets  are  disjoint. 

—  Second,  since  /  is  onto  A.  for  each  {.Ci}  there  is  some  yj  such  that  xi  =  yj.  i.e. 

|{y  ••  !jj  =  -I'iH  >  L 

or,  in  our  terminology, 

mult(v,mkset(Xj))  >  1. 

Therefore  by  the  Pigeon  Hole  Principle, 

|{j  :  Vj  =  =  1. 

—  Finally,  since  /  is  into  .4,  each  y^  is  some  xj.  It  follows  that  the  set  of  all  sSets  {,rj  is  a 
partition  of  v,  i.e.  of  ranyeif)  (Every  element  yj  of  range(f)  belongs  to  one  and  only  one  class 
[yj]')  By  ^lie  second  step,  each  [yj]  has  cardinality  1.  It  follows  easily  that  if  f(xi)  =  f(Xj) 
then  i  =  j. 

The  two  representations  for  finite  functions  cause  some  variations  in  the  argument.  In  both 
cases,  the  fact  that  /  is  an  injection  is  represented  by  the  fact  that  each  element  of  S  occurs  just 
once  in  a  certain  list  v,--^n  both  cases  we  use  the  function  mult  to  count  the  number  of  occurrences 
of  elements  of  a  set  in  a  list  i.e.  \{j  :  ijj  = 


4.3,1.  Application  of  the  Pigeon  Hole  Principle  to  Alists. 

In  this  subsection  we  give  the  proof  that  every  map  of  a  finite  set  onto  itself  is  an  injection, 
using  the  representation  of  functions  by  association  lists  (Theorem  Fennatp  Injejctp.  Section 

If  alist /  represents  /,  the  fact  that  /  is  a  map  of  a  finite  set  onto  itelf  is  given  by  the  property 
permutp(alist^).  Then  the  two  lists  u  =  dom(alist/)  and  v  =  range(alistj-)  have  the  same 
length  and  contain  the  same  set  of  elements.  The  list  u  has  the  uni(pieness  property  since  /  is  a 
function.  Our  ultimate  goal  is  to  show  that  v  has  the  uniqueness  property,  too. 

We  search  for  a  partitioning  {a,  :  i  <  n}  of  v,  where  n  =  length(v),  namely,  a  sequence  of 
n  nonempty  disjoint  sets,  such  that  eacli  element  of  v  belongs  to  some  set  of  the  sequence.  We 
know  more  about  u  than  about  v,  since  u  has  the  injectivity  property.  The  idea  is  to  consider  the 
.sequence  of  the  sets 

{x  :  X  =  nth(u,7??) }, 

for  m  <  lengthCu):  in  our  notation 

Xm.tnkset{nth(  n.  /n))  : 

this  is  a  sequence  of  nonempty  sets,  whose  union  is  the  set  of  members  of  u.  We  can  prove  that  it 
is  (lisjoinL  since  u  is  injective.  Thus  it  partitions  u.  It  partitions  also  v,  since  u  and  v  are  the  same 
as  sets. 
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4.3.2.  Step  1:  Injectivity  implies  Disjointness. 

Lemma  4.1.  (Lnj  Disj) 

VU.INJ(U)3DISJ0INT(AM.MKSET(NTH(U,M)) , LENGTH  U) 

Proof.  To  show  this,  we  prove 

Vn.inj  (u)An<length  uDdisjoint (Am.mkset (nth(u,in) )  ,n) 

by  induction  on  n  (line  13).  The  theorem  follows  by  taking  n  =  length(u).  The  essential  part  of 
the  induction  step  is  proved  first  as  a  lemma  (line  12). 

;inj  implies  disjoint 
(proof  inj.disj) 

;a  main  lemma  for  the  induction  step 

1.  (assume  |inj  u|) (label  injdsjO) 

2.  (rw  *  (open  inj)) (label  injdsjl) 

;VN  M.N<LENGTH  UaM<LENGTH  UaNTH(U,N)=NTH(U,M) DN=M 

3.  (assume  |n<length  u|) (label  injdsj2) 

4.  (assume  I (un(Am.mkset(nth(u,m) ) ,n)) (xv)A(mkset (nth(u,n) )) (xv) | ) 

(label  injdsjS) 

;need  mksetfact 

5.  (ue  ((u.u)(n.n))  mksetfact  (open  lesseq)  injdsj2) 

;UN(AM.MKSET(NTH(U,M)) ,N)=(AX.(3K.K<NaNTH(U,K)=X)) 

6.  (rw  injdsjS  (use  *  mode:  exact)  (open  mkset)  injdsj2) 

; (3K.K<NaNTH(U,K)=XV)aXV=NTH(U,N) 

(label  injdsj4) 

7.  (define  kv  |kv<nAnth(u,kv)=xv |  (use  ♦)) 

(label  injdsjS) 

8.  (derive  |kv<length  uAnth(u,kv)=nth(u,n) I 

(*  injdsj2  transitivity. of .order) 

(use  injdsj4  mode:  always  direction:  reverse)) 

9.  (derive  |kv=n|  (injdsj2  ♦  injdsjl)) 

10.  (rw  injdsjS  (use  *  mode:  exact)  irreflexivity. of .order) 

; FALSE 

;deps:  (INJDSJO  INJDSJ3  INJDSJ2) 

11.  (ci  injdsj3)- 

;-i((UN(AM.MKSET(NTH(U,M))  ,N))(XV)a(MKSET(NTH(U,N)))(XV)) 
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12.  (ci  (injdsjO  injdsj2)) 

;INJ(U)aN<LENGTH  UD 

;  -1  (  (UN  ( AH . MKSET (NTH (U . M) ) ,  N) )  (XV)  A (MKSET (NTH (U , N ) ) )  (XV) ) 
(label  injdsj .lemma) 


The  result  follows  in  two  lines. 

13.  (ue  (a  I  An. inj (u)An<length(u)3dis joint(Am.mkset  nth(u,m) ,n) I ) 

proof  _by_ induct i on 

(open  disjoint  disj.pair  intersection  emptyp) 

(use  less.lesseqsucc  mode:  always  direction:  reverse) 

(use  id.lemma  mode:  always)  (part  1#2#1#1  (open  lesseq))) 
;VN.INJ(U)AN<LENGTH  U3DISJ0INT(AM.MKSET(NTH(U,M)) ,N) 

14.  (ue  (n  [length  u|)  *  (open  lesseq)) 
:INJ(U)3DISJ0INT(AM.MKSET(NTH(U,M)) .LENGTH  U) 

(label  inj.disj)  ■ 


4.3.3.  Step  2:  Positive  Multiplicity. 

Lemma  4.2.  (Permutp  Injectp  Lemma) 

VU  V.MKLSET  U=MKLSET  VD 

(VM.M<LENGTH  U31<MULT(V, MKSET  NTH(U,M))) 

Proof.  We  want  to  show  that  the  multiplicity  in  v  of  the  set  {x  :  x  =  nth(u,m)}  i.s  positive 
(line  8)  under  the  assumption  that  u  and  v  have  the  same  set  of  elements  (line  1).  In  fact,  we 
obtain  a  map 

n  1-^  kv, 

where  nth(v,kv)  =  nth(u,n)  (One  6). 

(proof  permutp_injectp_lemma) 

1.  (assume  Imklset  u=mklset  v|) 

(label  pill) 

2.  (assume  |n<length  u|) 

(label  pil2) 

The  fact  that  nth(u,n)  G  {.ru  ;  member (.ri’.u)}  is  an  immediate  consequence  of  Nthmenihc r. 

3.  (trw  |nth(u,n)€  mklset  u|  (open  epsilon  mklset) 
nthmember  pil2) 

;NTH(U,N)€HKLSET(U) 

;deps:  (PIL2) 

Here  we  apply  line  1. 

4.  (rw  *  (use  pill  mode:  exact)) 

;NTH(U,N)€MKLSET(V) 

;deps:  (PILl  PIL2) 

Finally,  using  Mklset.  Fact,  we  prove  the  e.xistence  of  a  kc  sucli  that  nth(v,A:i>)  =  nth(u,»). 
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5.  (rw  *  (use  mklset_fact  mode:  exact)  (open  epsilon  mkset)) 

;3K.K<LENGTH  VaNTH(V,K)=NTH(U,N) 

;deps:  (PILl  PIL2) 

6.  (define  kv  |kv<length(v)Anth(v,kv)=nth(u,n) I  *  ) 

(label  pil3) 

;deps:  (PILl  PIL2) 

7.  (trw  |meraber(nth(v,kv) ,v) I  nthmember  pil3) 

; MEMBER ( NTH (V,KV) ,V) 

(label  pil4) 

Therefore,  by  the  Lemma  member  mult,  the  set  {xt?  :  xv  =  nth(u,n)}  has  positive  multiplicity  in 


8.  (ue  ((u. v) (y. |nth(v,kv) I) (a. Imkset  nth(u,n) I ))  member_mult 
(part  l(open  mkset))  pil2  pil4  (use  pil3  mode:  always)) 

;  1  <MULT  (V ,  MKSET  (  NTH  (U ,  N  ))  ) 

;deps:  (PILl  PIL2) 

9.  (ci  (pill  pil2)) 

;MKLSET(U)=MKLSET(V)aN<LENGTH  U31<MULT(V,MKSET(NTH(U,N)  ) ) 


Cosmetics: 

10.  (derive  |Vu  v.mklset  u=mklset  v3 

(Vm.m<length  u31$mult(v, mkset  nth(u,m)))|  *  ) 
(label  permutp_injectp_lemma)  ■ 


4.3.4.  Step  3:  The  Sequence  partitions  the  Range. 

Using  the  result  of  steps  1  and  2,  we  will  apply  the  corollary  Pigeonlist  to  obtain: 
Vm.m<length  uDl<mult(v, mkset  nth(u,m)) 

In  the  final  step,  for  each  member  x  of  v  we  consider  the  set  {.t  n  :  xv  =  x}  -  in  our  notation  we  take 
mkset (nth(v,i)),  with  x  =  nth(v,i)  for  some  i  -  and  show  that  it  coincides  with  some  element 
of  the  partition  constructed  in  step  2.  Hence  we  can  conclude 

mult(v,mkset(nth(v,i)))  =  1 

for  all  i  <  length(v).  Injectivity  of  v  will  follow  by  the  Lemma  Mxilt  /nj  (Section  2.12.1). 
Lemma  4.3.  {MtiH  Mult) 

VU  V.MKLSET(U)=MKLSET(V)a 

(VM . M<LENGTH  U3MULT ( V ,MKSET(NTH (U . M) ) ) = 1 )  D 
(VI . I <LENGTH  V3MULT(V ,MKSET(NTH (V , I) ) )  =  1 ) 
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Proof.  This  step  is  easy.  Since  u  and  v  are  the  same  as  sets,  the  /-th  element  of  v  occurs  in 
u.  By  the  inclusion  of  line  4.  we  obtain  a  map 


i  m  v 


where  nthCu.mn)  =  nth(v,0  (line  6).  It  follows  from  onr  main  hypothesis  (line  2)  that  the  /-th 
element  has  just  one  occurrence  in  v. 

(proof  mult.mult) 

1.  (assume  Imklset  u  =  mklset  v|) 

(label  mml) 

2.  (assume  |Vm.m<length  u  D  mult(v,mkset  nth(u,m))*l|) 

(label  mm2) 

3.  (assume  |i<length  v|) 

(label  mm3) 

4.  (trw  |nth(v,i)  €  mklset  v|  (open  epsilon  mklset) 

(use  *  nthmember  mode:  exact)  ) 

;NTH(V,I)€MKLSET(V) 

5.  (rw  *  (use  mml  mode:  exact  direction:  reverse)) 

:NTH(V,I)€MKLSET(U) 

6.  (rw  *  (use  mklset_fact  mode:  exact)  (open  epsilon)) 

;3K.K<LENGTH  UaNTH(U,K)=NTH(V,I) 

7.  (define  mv  |mv<length  u  Anth(u,mv)=nth(v,i) |  *  ) 

(label  mm4) 

;MV  is  unknown. 

;the  symbol  MV  is  given  the  same  declaration  as  M 
;deps:  (MMl  MM3) 

8.  (ue  (m  mv)  mm2  (use  *  mode:  always)) 

;MULT(V.MKSET(NTH(V, !)))=! 

;deps;  (MMl  MM2  MM3) 

9.  (ci  mm3) 

; I <LENGTH  VDMULT ( V , MKSET (NTH ( V , I ) ) ) = 1 
jdeps:  (MMl  MM2) 

10.  (ci  (mml  mm2)) 

: MKLSET (U) =MKLSET ( V) A (VM . M<LENGTH  UDMULT (V , MKSET (NTH (U , M) ) ) » 1 ) 3 
; ( I <LENGTH  V3MULT (V , MKSET ( NTH ( V , I ) ) ) * 1 ) 

(label  mult_mult)  ■ 
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4.3.5.  The  Main  Result  for  Association  Lists:  Every  Permutation  is  an  Injection. 

The  derivation  of  main  result  for  alisls  follows. 

Theorem  ( Permxitp  Injectp) 

VALIST . PERMUTP ( ALIST) DIN JECTP (ALIST) 

Proof. 

(proof  permutp. injectp) 

1.  (assume  Ipermutp  alist | ) 

(label  permutp_injectpl) 

2.  (rw  *  (open  permutp)) 

;FUNCTP(ALIST)aMKLSET(DOM(ALIST))=MKLSET(RANGE(ALIST)) 

(label  permutp. in jectp2) 

3.  (rw  *  (open  functp)) 

;UNIQUENESS(D0M(AL1ST))aMKLSET(D0M(ALIST))=MKLSET(RANGE(ALIST)) 

(label  permutp. in jectp3) 

First  step:  disjointness  of  a  suitable  sequence  of  sets  (Leinma  Iiy  Disj] 

: labels:  UNIQUENESS.INJECTIVITY 
;VU.UNIQUENESS(U)=INJ(U) 

; labels:  INJ.DISJ 

;VU.INJ(U)DDISJ0INT(AM.MKSET(NTH(U,M)), LENGTH  U) 

4.  (derive  | inj (dom(alist) ) |  (*  uniqueness.injectivity)) 

;deps:  (PERMUTP. INJECTP 1) 

5.  (derive  |DISJOINT(AM.MKSET(NTH(DOM(ALIST) ,M)) .LENGTH  (DOM(ALIST) ) ) I 

(*  inj.disj)) 

(label  permutp. inj ectp4) 

Second  step:  multiplicity  of  the  sets  in  the  .sequence  is  positive  (Peiinutp  Injectp  Lemma) 
;labels:  PERMUTP. INJECTP.LEMMA 

;VU  V.MKLSET(U)=MKLSET(V)D(VM.M<LENGTH  UD1<MULT(V,MKSET(NTH(U,M)) )) 

6.  (ue  ((u.ldom  alist I ) (v . | range  alisti))  permutp. inj ectp.lemma 

(permutp. inj ectp3  permutp. inj ectp4)) 

:VM.M<LENGTH  (D0M(ALIST))31<MULT(RANGE(ALIST) ,MKSET(NTH(DOM(ALIST) ,M))) 
(label  permutp. inj ectp5) 
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Now  we  apply  the  Pigeon  Hole  principle; 

; labels:  PIGEONLIST 
;VSETSEQ  U.DISJOINT(SETSEQ .LENGTH  U)a 
;(VK.K<LENGTH  UD1<MULT(U,SETSEQ(K)))D 
;  (VK.K<LENGTH  UD1=MULT(U,SETSEQ(K))) 1 ) 


;need  also 

; labels :  DOHRANGELENGTH 

;VAL 1ST. LENGTH  (DOM(ALIST) )=LENGTH  (RANGE(ALIST) ) 

7.  (ue  ((setseq. I Am.mkset  nth(dom  alist.m) | )(u. | range  alisti))  pigeonlist 

(use  domreuigelength  mode:  exact  direction:  reverse) 
permutp_injectp4  permutp_injectp5) 

;VK.K<LENGTH  (D0M(ALIST))3 

;1=MULT (RANGE (ALIST) ,MKSET(NTH(DOM(ALIST) ,K))) 

Third  step:  injectivity  (using  lemmata  Mult  Mult  and  Mult  Inj) 

; labels:  MULT.MULT 

;VU  V.MKLSET(U)=MKLSET(V)A 

;  (VK.K<LENGTH  U3MULT(V,MKSET(NTH(U,K)))=1)D 

;  (VI.KLENGTH  V3MULT(V,MKSET(NTH(V, !)))  =  !) 

8.  (ue  ((u. Idom(alist) I ) (v . Irange(alist) I ))  mult.mult 

permutp_injectp3  *  ) 

: VI.KLENGTH  (RANGE(ALIST) )3 

; MULT ( RANGE ( AL I ST) , MKSET ( NTH ( RANGE ( ALI ST ) , I ) ) ) = 1 
;deps:  (PERMUTP.INJECTPl) 

; labels:  MULT.INJ 

:VV.(VK.K<LENGTH  V3MULT(V,HKSET(NTH(V,K)))*1)3INJ(V) 

9.  (ue  (v  I  range  alisti)  mult.inj  *  ) 

;INJ(RANGE(ALIST)) 

;deps:  (PERMUTP.INJECTPl) 

10.  (derive  I  uniqueness (range  alist) |  (*  uniqueness.inj activity)) 

; deps :  (PERMUTP.INJECTPl) 

11.  (derive  linjectp  alisti  (permutp_injectp2  *)(open  injectp)) 

;deps:  (PERMUTP.INJECTPl) 

12.  (ci  (permutp.injectpD) 

; PERMUTP (ALIST) DIN JECTP (ALIST) 

(label  permutp. injectp)  ■ 


Section  4 


.S5 


4.4.  Application  of  the  Pigeon  Hole  Principle  to  Lists  of  Numbers. 

In  the  second  application  we  give  the  proof  of  the  theorem: 

Any  map  of  a  finite  set  onto  itself  is  1-1, 
by  representing  functions  as  lists  of  numbers 

Here  have  a  list  u  of  numbers  less  than  length (u)  {intoness)  and  vve  know  that  every  n  less 
than  length(u)  occurs  in  u  [ontoness) .  This  simplifies  our  problem.  First  we  can  consider  for  each 
m  <  length(u)  the  set  {x  :  x  =  m}.  The  proof  that  the  sequence  Am.inkset(in)  is  disjoint  is 
fairly'  straightforward.  The  second  step — the  proof  that  for  m  <  length(u)  the  multiplicity  of  the 
set  {x  :  X  =  m}  is  positive— is  immediate;  only  the  third  step  —to  prove  inj(u)  assuming  that  the 
multiplicity  of  every  such  set  in  u  is  exactly  1 — requires  some  work. 


4.4.1.  Step  1:  Disjointness. 


Lemma  4.4.  (Disjoint  Number)  VN .DISJOINT(AXV.MKSET(XV)  ,N) 

Proof.  First  a  useful  fact:  if  m  G  U,'<n{0.  then  m  <  n. 

(proof  disjoint.number) 

1.  (ue  (a  lAn.Vta.  (un((Axv.nikset(xv))  ,n))(m)Dm<n|) 

proof induction 

(part  1  (open  mkset  un  emptyset  union)) 

(use  normal  mode:  always) 

(use  successorl  transitivity.of .order)) 

;VN  M.(UN(AXV.HKSET(XV),N))(M)DM<N 
(label  dnl) 

Therefore 

Lh'}  n  {n}  =  0 

t<n 

and  so,  by  induction  on  n,  Ui<n{0  disjoint. 

2.  (ue  ((n.n)(m.n))  dnl  irreflexivity.of .order) 
;-i(UN(AXV.MKSET(XV)  ,N) )  (N) 

3.  (trw  I (un(Ayv.mkset(yv) ,n))(xv)A(mkset(n)) (xv) I  * 

(part  2  (open  mkset))) 

;  (  (UN  (  AYV .  MKSET  (YV)  ,N)  )  (XV)  A  (MKSET  (N) )  (XV) ) 

4.  (ue  (a  |An.disjoint(Axv.mkset(xv) ,n) I)  proof .by .induct ion 

(open  disjoint  disj.pair  emptyp  intersection) 

(use  *  mode:  exact)) 

; VN.DISJOINT(AXV. MKSET (XV) ,N) 

(label  disjoint .number)  ■ 


This  completes  step  1. 
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4.4.3.  Step  2:  Ontoness  Implies  Multiplicity. 

Lemma  4.5.  (Onto  Mult) 

VU.0NT0(U)D 

(VN .  N<LENGTH (U) 3 1 <MULT (U , MKSET (N) ) ) 

(label  onto.mult)  ■ 

This  is  immediate  from  the  definition  of  onto  and  the  lemma  Member  Mult. 


4.4.3.  Step  3:  Intoness  Implies  Multiplicity. 


Using  the  lemma  Pujeonlht.  steps  1  and  2  we  will  conclude  that 
PERM(U)3(VK.K<LENGTH  UD1=MULT(U.MKSET(K) )) 

Let's  look  at  the  last  step. 

Lemma  4.6.  (Into  Mult) 

VU . INTO (U) A ( VK . K<LENGTH  U3 1=MULT (U , MKSET (K) ) ) 3 
( K < LENGTH  U3 1 =MULT (U , MKSET ( NTH (U , K ))) ) 

Proof.  .Assume  into(u)  and  that  for  all  k  <  length(u)  the  multiplicity  of  the  set  {.r  :  .r  = 
is  exactly  1. 

(proof  into_mult) 

1.  (assume  I  into (u) I) 

(label  iml) 

2.  (assume  |Vk.k<length  u31=mult(u,mkset  k)|) 

(label  im2) 

3.  (assume  |k<length  u|) 

(label  im3) 

4.  (rw  iml  (open  into)) 

;VN.N<LENGTH  U3NATNUM(NTH(U,N) ) ANTH(U,N)<LENGTH  U 
;deps:  (IMl) 

By  nth(u,k)  is  a  number  less  than  length(u).  The  result  is  immediate  from  lino 

5.  (ue  (k  |nth(u,k)|)  im2  (use  im3  *  mode:  exact)) 

: 1 =MULT (U , MKSET (NTH (U , K )) ) 

;deps:  (IMl  IM2  IMS) 

6.  (ci  im3) 

: K<LENGTH  U3 1=MULT (U , MKSET (NTH (U , K) ) ) 

;deps:  (IMl  IM2) 

(ci  (iml  im2)) 

; INTO (U) A (VK . K<LENGTH  U3 1=MULT(U , MKSET (K) ) ) 3 
: ( K  < LEN GTH  U3 1 =MULT ( U . MKSET ( NTH ( U . K ) ) ) ) 

(label  into.mult)  ■ 


7. 
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4.4.  The  Main  Result  for  Lists:  Every  Permutation  is  an  Injection 

We  now  give  the  main  result  for  functions  represented  as  lists  of  numbers. 
Theorem  (Perm  VU.PERM(U)DINJ(U) 

Proof. 

(proof  perm^inj) 

1.  (assume  I  perm  ul) (label  perm.injl) 

2.  (rw  ♦  (open  perm  onto)) 

; INTO (U) A ( VN . N<LENGTH  UDMEMBER(N ,U) ) 

(label  perm„inj2) 

Second  step:  multiplicity  is  positive 

; labels:  MEMBER.MULT 
;VU  Y  A.MEMBER(Y,U)aA(Y)D1<MULT(U,A) 

3.  (ue  ((u.u) (y .n) (a. Imkset  n|))  member.mult 
(part  1  (open  mkset))) 

; MEMBER ( N , U ) 3 1 <  MULT ( U , MKSET ( N ) ) 

4.  (derive  |Vn.n<length  u31<mult(u, mkset  n) |  (perm_inj2  *)) 
(label  perm.injS) 

;deps:  (PERM.INJl) 

Third  step:  the'^pplication  of  the  pigeon  hole 

5.  (ue  ((setseq. I Axv .mkset (xv) | ) (u.u)) 
pigeonlist  disjoint.number  perm_inj3) 

; VK . K< LENGTH  U3 1=MULT (U , MKSET ( K) ) 

(label  perm.inj4) 

;deps:  (PERM.INJl) 

6.  (ci  perm^injl) 

;PERM(U)3(VK.K<LENGTH  UD  1=MULT(U, MKSET (K) ) ) 

Fourth  step:  injectivity  (using  Lemmata  INTO-MULT  and  MULT- IN J) 

; labels:  INTO.MULT 

;VU.INTO(U)a(VK.K<LENGTH  UD1=MULT(U,MKSET(K) ) )3 
;  (VI.KLENGTH  U31=MULT(U,MKSET(NTH(U,  I)  )  )  ) 

7.  (derive  |Vi.i<length  u31=mult(u,mkset(nth(u,i))) 1 
(into.mult  perm,  in  j  2  =♦')) 

;deps:  (PERM.INJl) 

; labels:  MULT.INJ 

;VV. (VK.K<LENGTH  VDMULT(V ,MKSET(NTH(V ,K) ) )=1) DINJ(V) 

8.  (ue  (v  u)  mult.inj  *  ) 

;INJ(U) 
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;deps:  (PERM.INJl) 

(derive  |inj(u)|  (perm.injl  penn_inj4  perm.inj  lemma)) 
;deps:  (PERM.INJl) 

(ci  perm.injl) 

;PERH(U)DINJ(U) 

(label  perm.inj activity)  ■ 


Section  5 


s<) 


5.  Representation  using  Association  Lists. 


In  this  section  we  prove  that  permutations  (over  a  finite  domain)  form  a  group,  using  iho 
representation  of  functions  by  association  lists. 

Remark.  In  this  representation  we  do  not  need  to  restrict  ourselves  to  functions  from  numbers 
to  numbers:  we  may  consider  permutations  of  any  finite  set.  However  it  is  customary  to  view 
association  lists  as  maps  from  atoms  to  S-expressions.  We  keep  this  convention. 

To  define  our  functions  as  maps  from  atoms  to  atoms  would  sligthly  simplify  some  proofs 
below:  notice  that  we  need  the  assumption  that  all  the  members  in  the  range  are  atoms  in  order 
to  prove  the  lemmata  Invalistsort^  Dora  Invalist^  Range  hivalist  as  well  as  Theorem  3  (ii)  and  (iii). 
In  the  case  of  permutations  this  condition  is  a  consequence  of  the  definition  of  permutation  (as  a 
map  of  a  domain  of  atoms  onto  itself  ). 


5.1.  Definitions  of  Composition,  Inverse  and  Identity. 


The  following  functions  and  predicates  on  alists  represent  composition  of  functions,  the  identity 
function  and  the  inverse  of  a  function.  Since  the  domain  of  our  functions  is  not  fixed  in  advance, 
we  must  use  a  predicate  rather  than  a  function  for  identity. 

;f unctions  as  association  lists 
(proof  assoc) 

; compos it ion  of  functions 

1.  (decl  (compalist)  (infixname:  I  ml)  (type:  I  ground®ground-^ground  | ) 

(syntype:  constant)  (bindingpower :  930)) 

2.  (defax  compalist 

iValistl  alist2  xa  y.nil  m  alist2=nilA 

((xa.y) .alistl)  m  alist2= 

(xa.appalist(y,alist2)) . (alistl  m  alist2)l) 

(label  compalistdef ) 

; the  inverse  function 

3.  (decl  invalist  (type:  GROUND-AGROUND)) 

4.  (defax  invalist 

iValist  xa  y. invalist  nil=nilA 

invalist( (xa.y) .alist)=(y.xa) .invalist  alistl) 

(label  invalistdef) 

;the  identity  function 

5.  (decl  idalistp  (type:  GROUND-TRUTHVAL) ) 

6.  (defax  idalistp 

iValist  xa  y . idalistp(nil)A 

(idalistp((xa.y) .alist)=xa=yAidalistp  alist)|) 
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(label  idalistpdef ) 


Remark.  In  tlie  present  section  the  reader  should  keep  in  mind  that 

appalist(x,alisty  oo  alist^) 

represents  {yo  It  would  be  helpful  to  use  left  notation  x(f  g)  for  functions  in  our  coniinents. 

but  we  do  not  want  to  change  our  notation  just  for  one  section. 


5.2.  Almost  All  the  Facts. 

We  collect  here  some  Lemmata  of  general  use.  Their  proof  are  remarkably  short  applications 
of  alistinduction.  The  first  two  lemmata  are  used  to  check  sorts  for  invalist  and  compalist. 

(proof  alistfacts) 

1.  (ue  (chi  |Aalist.alistp(alist  od  alistl)|) 

alistinduction 

(part  1  (open  compalist) (use  appalistsort  mode:  exact))) 
;VALIST.ALISTP  ALIST  oo  ALISTl 
(label  simpinfo)  (label  compalistsort)  ■ 

2.  (ue  (chi  |Aalist.allp(Ax.atom  x, range  alist)Dalistp  invalist(alist) | ) 

alistinduction 

(open  range  member  invalist) 

(use  al'ipfact 

ue:  ((phi. I  Ax. atom  x| )(x.y) (u. Irange  alisti))  mode:  always)  ) 
;VALIST.ALLP(AX.ATOH  X, RANGE (ALIST)) 3 ALISTP  INVALIST(ALIST) 

(label  simpinfo)  (label  invalistsort)  ■ 

We  must  consider  with  special  care  the  behavior  of  the  LISP  function 

Aalist  x.appalist(x,alist). 

It  is  defined  as  Aalist  x.cdr(assoc(x,alist)),  so  it  associates  with  x  the  first  v/such  that  (x.y) 
belongs  to  alist  and  has  default  value  NIL,  if  there  is  no  such  y. 

In  Lemma  5.1.  by  assuming  that  x  belongs  to  dom(alist),  we  ignore  the  default  case:  in  Lemma 

5.2,  by  taking  into  account  the  default  case  we  prove  equality  instead  of  inclusion  of  domains. 
.N'ext.  Lemma  5.3  proves  that  if  x  belongs  to  dom(alist),  then  the  value  of  appalist(x , alist) 

is  not  the  default  value  NIL,  but  an  element  belonging  to  range(alist):  Lemma  5.4  says  that  if 
z  belongs  to  range(alist).  then  there  is  an  x  in  dom(alist)  such  that  appalist(x, alist)  =  z. 
Observe  that  this  need  not  be  true,  unless  alist  represents  a  function,  i.e.  unless  dom(alist)  has 
the  1/n/V/t/e/ic.s.s  property.  Indeed,  if  some  (x.zl)  occurs  in  alist  before  (x.z).  with  zl  ^  z.  then 
appalist(x, alist)  will  give  zl  as  value. 


Section  5 


91 


Lemma  5.1  (App  Compalist)  (ry  o  f)(x]  =  g[f(x))  : 

VALIST  ALISTl  X .MEMBER (X, DOM (ALIST) ) 3 

APPALIST(X,ALIST  oo  ALIST1)=APPALIST(APPALIST(X, ALIST) , ALISTl) 


Proof. 

3.  (ue  (chi  I  Aalist  .member (x,doin(alist) )3 

appalist (x,alist  m  alistl)= 
appalist (appalist(x,alist) ,alistl) I ) 
alistinduction 

(part  1  (use  appalistdef  mode:  always) 

(open  dom  member  compalist  assoc)) 

(use  normal  mode:  always)) 

; VALIST . MEMBER(X , DOM (ALIST) ) 3 

;  APP ALIST(X, ALIST  m  ALIST1)=APPALIST(APPALIST(X , ALIST) , ALISTl) 

(label  app. compalist)  (label  alist.lemmal)  ■ 

The  following  Lemma  says  that  the  domain  of  ^  o  /  is  a  subset  of  the  domain  of  /. 

Lemma  5.2  [Dom  Compalist) 

VALIST  ALISTl. D0M(ALIST  oo  ALIST1)=D0M(ALIST) 

Proof. 

4.  (ue  (chi  | Aalist .dom(alist  m  alistl)=dom(alist) I ) 

alistinduction 
(open  compalist  dom)) 

;VALIST.DOM(ALIST  ©  ALIST1)=D0M(ALIST) 

(label  dom.compalist) (label  alist.lemma2)  ■ 

The  next  two  Lemmata  will  be  used  in  the  proof  of  Theorem  l(i). 

Lemma  5.3  says  that  if  ;r  belongs  to  the  domain  of  /  then  there  is  a  =  f{x)  that  belongs 
to  the  range  of  /. 

Lemma  5.3  (Nonempty  Range) 

VALIST  X. MEMBER (X, DOM  ALIST) 3 

(3Y . MEMBER( Y , RANGE  ALIST) AAPPALIST (X , ALIST) =Y) 

The  argument  is  by  induction  on  alists. 

(proof  alist. lemmas) 

1.  (ue  (chi  1 Aalist .member (x, dom  alist)3 

somep(Ay.appalist(x,alist)=y, range  alist) I ) 
alistinduction 

(part  1  (open  dom  somep  range  member  appalist  assoc)) 

(use  normal  mode:  always)) 

; VALIST. MEMBER(X,D0M(ALIST))3S0MEP(AY.APPALIST(X,ALIST)=Y,RANGE(ALIST)) 

2.  (rw  ♦  (use  somepfact  mode:  exact)) 

; VALIST . MEMBER(X , DOM (ALIST) ) 3 

;  (3X1.MEMBER(X1,RANGE(ALIST))aAPPALIST(X,ALIST)=X1) 

(label  nonempty. range)  (label  alist.lemmaS)  ■ 
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Remark.  Example  7.  We  prove  first  the  formula  in  line  1  (containing  the  recursively  defined 
predicate  samep  instead  of  the  existential  quantifier  as  in  line  2).  In  this  way  we  considerably  shorten 
the  proof.  Let’s  analyze  the  proof  and  see  how  the  rewriter  of  EKL  simulates  it. 

The  induction  step  of  line  1  is 

;(VXA  Y  ALIST.(MEMBER(X,DOM(ALIST))D 

;  SOHEP ( AY2 . APPALIST(X . ALIST) =Y2 , RANGE(ALIST) ) )  3 

;  (MEMBER(X,D0M((XA.Y).ALIST))3 

;  S0HEP(AY1.APPALIST(X,(XA.Y).ALIST)=Y1,RANGE((XA.Y). ALIST)))) 


By  expanding 

member(x,dom((xa.y) .alist)) 

we  obtain  two  cases: 

(i)  x=xa,  in  which  case  cdr(assoc(x,  (xa,y)  .alist))  is  y,  and  y  is  clearly  a  member  of 
range((xa.y) .alist); 

(ii)  member(x,dom  alist).  In  this  case  the  induction  hypothesis  yields 
somep (Ay2 . appalist (x , alist) =y2 .range ( alist ) ) . 

(The  two  cases  are  dealt  with  separately  by  using  as  a  rewriter  the  formula 

Vp  q  r. (pVq3r)s(p3r)A(q3r) 

labeled  NORMAL,  as  we  saw  in  previous  examples.  ) 

Consider  how  the  rewriting  process  accomplishes  this  inference.  By  expanding  appalist  and 
assoc  in 


(*)  SOMEPCAYl . APPALISTCX , (XA . Y) .ALIST) =Y1 .RANGE ( (XA .Y) . ALIST)  ) 

we  have: 

;the  term  APPALIST(X, (XA.Y) .ALIST)  is  replaced  by: 

CDR  ASSOeex. (XA.Y) .ALIST) 

;the  term  ASS0C(X. (XA.Y) .ALIST)  is  replaced  by: 

IF  X=XA  THEN  XA.Y  ELSE  ASSOC (X. ALIST) 

Now  the  conditional  term  is  ‘pushed  outside’  the  function  edr: 

;the  term  CDR  (IF  X=XA  THEN  XA.Y  ELSE  ASS0C(X. ALIST))  is  replaced  by: 
IF  X=XA  THEN  CDR  (XA.Y)  ELSE  CDR  ASSOC (X, ALIST) 

;the  term  CDR  (XA.Y)  is  replaced  by: 

Y 

;the  term  (IF  X=XA  THEN  Y  ELSE  CDR  ASS0C(X.ALIST))=Y1  is  replaced  by: 
IF  X»XA  THEN  Y*Y1  ELSE  CDR  ASS0C(X.ALIST)=Y1 


Next  by  e.xpanding  range  we  obtain: 

;the  term  RANGE( (XA.Y) .ALIST)  is  replaced  by: 
Y.RANGE(ALIST) 


Now  somep  is  expanded: 


Section  5 


9;{ 


;the  term 

SOHEPCAYl. (IF  X=XA  THEN  Y=Y1  ELSE  CDR  ASS0C(X,ALIST)=Y1) ,Y.RANGE(ALIST)) 


is  replaced  by: 

IF  (IF  X=XA 

THEN  Y=Y 

ELSE  CDR  ASSOC (X,ALIST)=Y) 
THEN  TRUE 

ELSE  S0MEP(AY1.(IF  X*XA 


THEN  Y=Y1 

ELSE  CDR  ASS0C(X,ALIST)=Y1) ,RANGE(ALIST)) 


In  the  innermost  conditional 

;the  term  Y=Y  is  replaced  by: 

TRUE 

so  that  the  ‘if’  case  of  the  outer  conditional  becomes 

;the  term  IF  X=XA  THEN  TRUE  ELSE  CDR  ASSOC (X ,ALIST)=Y  is  replaced  by: 
X=XAVCDR  ASSOC(X,ALIST)=Y 

On  the  other  hand  in  the  ‘else’  case  of  outer  conditional 

;the  term  X=XA  is  replaced  by: 

FALSE 

;the  term  IF  FALSE  THEN  Y=Y1  ELSE  CDR  ASSOC (X,ALIST)=Y1  is  replaced  by: 
CDR  ASS0C(X,ALIST)=Y1 

In  conclusion,  the  term  (*)  becomes 

X*XAVCDR  ASS0C(X,ALIST)=YVS0MEP(AY1.CDR  ASS0C(X , ALIST)=Y1 ,RANGE(ALIST) ) 

and  it  is  this  formula  that  rewrites  to  true  in  both  cases  (i)  and  (ii).  Q 

Similarly,  Lemma  5.4  says  that  if  z  belongs  to  the  range  of  /  then  there  is  an  x  in  tlie  domain 
of  /  such  that  f{x  )  =  The  proof  is  left  to  the  Appendix. 

Lemma  5.4  (Nonempty  Domain) 

VALIST  Z. UNIQUENESS  DOM(ALIST)aHEMBER(Z, RANGE  ALIST)3 
(aX.MEMBER(X,DOM  ALIST)aAPPALIST(X,ALIST)=Z) 

(label  alist_lemma4) 

The  following  Lemma  (describing  the  behavior  of  compalist  with  respect  to  the  second  alist) 
is  used  in  the  induction  step  of  the  proofs  of  theorems  3(ii)  and  3(iii). 

; compalist  lemma 

5.  (ue  (chi  | Aalist . nmember(za, range  alist)D 

alist  m  ((za.z) .alist l)=alist  m  alistll) 
alist induction 

(open  member  range  compalist  assoc)  (use  demorgan  mode:  always)) 
;VALIST.-iMEMBER(ZA,RANGE(ALIST))DALIST  oo  ((ZA.Z)  .ALIST1)=ALIST  m  ALISTl 
(label  compalist.lemma)  ■ 
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We  easily  check  that  samemap  guarantees  identity  of  composition  on  the  riglit:  (Samtitxip 
Rifjht) 

6.  (ue  (chi  Ualist.sameraap(alistl,alist2)Dalist  oo  alistl=alist  oo  alist2|) 

alistinduction 

(part  1  (open  compalist  samemap))) 
;VALIST.SAMEMAP(ALIST1,ALIST2)DALIST  m  ALIST1=ALIST  oo  ALIST2 
(label  simpinfo)  (label  samemap.right)  ■ 

When  composing  on  the  left,  the  best  possible  analogue  is  the  following:  (Samemap  Left) 

VALIST  ALISTl  ALIST2 .SAMEMAP (ALISTl ,ALIST2) 3 

SAMEMAP (ALISTl  m  ALIST,ALIST2  oo  ALIST) 

The  proof  uses  Lemmata  5.1  and  5.2  and  is  left  to  the  Appendix. 

The  main  property  of  the  identity  alist  is  given  by  the  following: 

Lemma  5.5  (Main  Idalistp) 

VALIST  Y.IDALISTP(ALIST)aMEMBER(Y,D0M(ALIST))3CDR  ASSOC (Y, ALIST) =Y 
Proof. 

7.  (ue  (chi  |Aalist.idalistp(alist)Amember(y,dom  alist)3 

appalist(y,alist)=y I ) 
alistinduction 

(open  idalistp  appalist  assoc  member  dom)  (use  normal  mode:  always)) 

; VALIST . IDALISTP (ALIST) AMEMBER(Y , DOM(ALIST) ) DCDR  ASS0C(Y , ALIST)=Y 
(label  idalistp_main)  ■ 

Finally,  we  prove  two  lemmata  essential  for  the  proof  of  Theorem  3. 

We  show  that  dom(invalist)  is  the  same  as  range  and  that  reinge(invalist)  is  dom. 

;dom  invalist 

8.  (ue  (chi  |Aalist.allp(Ax.atom  x, range  alist)3 

dom  invalist(alist)®range  alist |) 
alistinduction 

(open  dom  range  invalist)  (use  invalistsort) 

(use  allpfact 

ue:  ((phi. I  Ax. atom  x| ) (x.y) (u. Irange  alist I ))  mode:  always)  ) 

; VALIST. ALLP( AX. ATOM  X, RANGE ( ALIST) )D 
;  DOM(INVALIST(ALIST))=RANGE(ALIST) 

(label  dom.invalist)  ■ 

; range  invalist 

9.  (ue  (chi  |Aalist.allp(Ax.atom  x, range  alist)3 

range  invalist(alist)=dom  alist |) 
alistinduction 

(open  dom  range  invalist)  (use  invalistsort) 

(use  allpfact 

ue:  ( (phi . I  Ax .atom  x| ) (x.y) (u. Irange  alist I ))  mode:  always)  ) 

; VALIST . ALLP ( AX . ATOM  X , RANGE (ALIST) ) 3 
;  RANGE(INVALIST(ALIST))=DOM(ALIST) 

(label  range.invalist)  ■ 


5.3.  The  Composition  of  Permutations  is  a  Permutation. 

We  want  to  prove  that  if  two  alists.  alist  and  alistl  are  permutp,  then  also  their  composit  ion 
alist  03  alistl  is  a  permutp:  i.e.  (l)y  the  definition  of  permutp)  we  know  that  the  'domains  of 
alist  and  alistl  have  the  iinujueness  property  and  their  ‘domains’  and  ‘ranges’  are  the  same  sot 
and  we  want  to  show  that 

(i)  tm/^t/eness  holds  of  dom(alist  oo  alistl); 

(ii)  the  dom  and  the  range  of  (alist  m  alistl)  are  the  same  set. 

To  prove  (i)  it  is  enough  to  show  that  the  domCalist  m  alistl)  is  the  same  as  dom(alist).  lo 
prove  (ii)  we  prove  inclusion  in  both  directions. 

The  proof  of  (ii)  is  the  longest  in  this  section.  The  reason  is  that  we  cannot  use  induction  on 
alists  in  proving  facts  about  the  range  of  domCalist  m  alistl)  as  a  set. 

Theorem  1  (i)  {Permutp  Compalist) 

VALIST  ALISTl .PERMUTP(ALIST) aPERMUTP(ALIST1)a 

MKLSET(DOM(ALIST) )=MKLSET(D0M(ALIST1) )3 
PERMUTP  (ALIST  oo  ALISTl) 

This  is  proved  through  a  main  Lemma: 

Lemma  Range  Compose,  part  1: 

VALIST  ALISTl. PERMUTP (ALIST) A 

MKLSET(D0M(ALIST))=MKLSET(D0M(ALIST1))D 

MKLSET (RANGE (ALIST  co  ALIST1))CMKLSET(RANGE(ALIST1)) 


Lemma  Range  Compose,  part  2: 

VALIST  ALIST1.PERMUTP(ALIST)aPERMUTP(ALIST1)a 

MKLSET(D0M(ALIST))=MKLSET(D0M(ALIST1))3 
MKLSET(RANGE(ALIST1))CMKLSET(RANGE(ALIST  00  ALISTl)) 


5.3.1.  Proof  Range  Compose,  First  Part. 

In  Part  1  we  show  that  if  permutp(alist)  and  mklset  dom(alist)=mklset  dom(alistl). 
then  range(alist  oo  alistl)  is  a  subset  of  range  (alistl). 

Let  /  and  g  be  the  functions  represented  by  alist  and  alistl,  respectively.  The  argument  can 
be  summarized  as  follows:  given  r  in  the  range  of  </  o  /,  choose  an  element  X;  in  the  inverse  image 
of  r  by  g  o  f.  Such  element  is  in  the  domain  of  /.  By  definition  of  composition,  if  r  =  (</  o  /){.!■:). 
then  r  =  <7(/(.ic)).  So  r  belongs  to  the  range  of  g. 
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(proof  range_compose) 

1.  (assvune  Ipermutp(alist) | ) 

(label  rcl) 

2.  (rw  *  (open  permutp  functp)) 
;UNIQUENESS(DOM(ALIST))aMKLSET(DOM(ALIST))=MKLSET(RANGE(ALIST)) 
(label  rc2) 

;deps:  (RCl) 


The  next  line  says  that  the  functions  /  and  g  represented  by  alist  and  alistl  have  the  same 
domain. 

3.  (assume  Imklset  dom(alist)=mklset  dom(alistl) I ) 

(label  rc3) 

4.  (assume  |member(z,rainge(alist  oo  alistl))  |) 

(label  rc4) 

By  applying  Lemma  4  we  associate  to  z  an  element  r,  in  dom(alist  oo  alistl).  By  Lemma  2 
lies  in  dom(alist)  (line  6). 

5.  (ue  ((alist . I alist  oo  alistl | ) (z. 2))  nonempty. domain 

(use  dom_compalist  rc2  rc4  mode:  exact)  ) 
;3X.MEMBER(X,D0M(ALIST))aAPPALIST(X, ALIST  oo  ALIST1)=Z 
:deps:  (RCl  RC4) 

6.  (define  xxvv 

|member(xxvv ,dom  alist) Aappalist (xxvv, alist  00  alistl)=zl  *  ) 
(label  rc5) 

;deps:  (RCl  RC4) 

Apply  Lemma  1: 

7.  (rw  *  (use  app.compalist  mode:  always)) 
;MEMBER(XXVV,DOM(ALIST))AAPPALIST(APPALIST(XXVV, ALIST). ALIST1)=Z 
(label  rc6) 

:deps:  (RCl  RC4) 

This  represents  the  fact  that  if  r  =  (5  0  f)(x.},  then  c  =  gifix.)).  The  proof  is  not  finished, 
however.  We  have  to  check  that  the  two  applications  of  appalist  do  not  give  default  value. 

By  applying  lemma  3,  we  associate  to  .t,  its  image  j/;  in  the  range  (alist). 

8.  (define  yyvv  I  member (yyvv .range  alist)Aappalist(xxvv,alist)=yyvv | 

(nonempty.range  rc6)) 

(label  rc7) 

;deps:  (RCl  RC4) 

9.  (trw  lyyvv  €  mklset  range(alist) I  (open  mklset  epsilon)  rc7) 
;YYVV€MKLSET(RANGE(ALIST)) 

;deps:  (RCl  RC4) 
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By  the  assumption  of  line  3  we  know  that  y,  belongs  to  dom(alistl). 

10.  (rw  *  (use  rc2  mode:  exact  direction:  reverse) 

(use  rc3  mode:  exact)) 

; YYVV6MKLSET ( DOM ( ALISTl ) ) 

;deps:  (RCl  RC3  RC4) 

11.  (rw  *  (open  epsilon  mklset)) 

;MEMBER(YYVV.D0M(ALIST1)) 

;deps:  (RCl  RC3  RC4) 

We  apply  again  lemma  3  to  pick  the  image  of  y,  in  range(alistl). 

12.  (define  zzvv  | member (zzvv, range  alistl)Aappalist(yyvv,alistl)=zzvv| 

(nonempty.range  *  )) 

(label  rc8) 

;deps:  (RCl  RC3  RC4) 

By  lines  7  and  8  such  an  image  is  z. 

13.  (rw  rc6  rc7) 

:MEMBER(XXVV,D0M(ALIST))aAPPALIST(YYVV.ALIST1)=Z 
;deps:  (RCl  RC4) 

14.  (trw  |zzvv=zl  *  (use  rc8  mode:  always  direction:  reverse)) 

;ZZVV=Z 

:deps:  (RCl  RC3  RC4) 


Hence,  r  is  in  the  range(alistl). 

15.  (trw  I member (z, range  alistl)!  rc8 

(use  *  mode:  exact  direction:  reverse)) 
;MEMBER(Z,RANGE(ALIST1)) 

;deps:  (RCl  RC3  RC4) 

16.  (ci  rc4) 

;MEMBER(Z, RANGE (ALIST  co  ALIST1))0MEMBER(Z,RANGE(ALIST1) ) 
;deps:  (RCl  RC3) 

17.  (trw  Imklset  range(alist  m  alistl)Cmklset  range(alistl) |  * 

(open  mklset  inclusion)) 

;MKLSET(RANGE (ALIST  m  ALISTl) )CMKLSET(RANGE(ALIST1) ) 

;deps:  (RCl  RC3) 

18.  (ci  (rcl  rc3)) 

;PERMUTP(ALIST)aMKLSET(D0M(ALIST))=MKLSET(D0M(ALIST1))3 
;MKLSET(RANGE (ALIST  m  ALIST1))CMKLSET(RANGE(ALIST1)) 

(label  range. compose) 
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5.3,2.  Proof  of  Range  Compose,  Second  Part. 

In  Part  2,  again  under  the  assumption  that 

permutp(alist)  A  mklset  dom(alist)=mklset  dom(alistl), 
we  prove  that 


range(alist)  C  range(alist  cd  alistl) 


The  derivation  represents  the  following  argument:  suppose  that  /  and  g  are  maps  of  the  same 
finite  set  onto  itself  and  r  belongs  to  the  range  of  g.  If  t/j  is  in  the  inverse  image  of  c  by  g.  then 
j/;  is  in  the  range  of  /.  Moreover,  if  .r,  is  in  the  inverse  image  of  t/j  by  /,  then  i  =  ^(/(:r-)).  i.e. 
•^  =  (5  °  /)(T;).  Therefore  r  is  in  the  range  of  g  o  f. 

(proof  ramge_coinpose2) 

1.  (assume  Ipennutp(alist) 1 ) 

(label  rc21) 

2.  (rw  *  (open  permutp  functp)) 
;UNiqUENESS(DOM(ALIST))AMKLSET(DOM(ALIST))*MKLSET(RANGE(ALIST)) 

(label  rc22) 

3.  (assume  I permutp (alistl) | ) 

(label  rc23) 

4.  (rw  *  (open  permutp  functp)) 

;UNIQUENESS(D0M(ALIST1))aMKLSET(D0M(ALIST1))=MKLSET(RANGE(ALIST1)) 

(label  rc24) 

5.  (assume  Imklset  dom(alist)=mklset  dom(alistl) I ) 

(label  rc25) 

6.  (assume  lmember(z, range  alistl) |) 

(label  rc26) 

Given  s  in  rnnge(filist\),  using  lemma  4  we  pick  a  y.  in  dom(aUstl)  such  that 

appalist(y. .alistl)  =  s. 


7.  (define  yvl  | member (yvl ,dom  alistl)Aappalist(yvl ,alistl)=z 1 
(nonempty.domain  rc24  rc26)) 

(label  rc27) 


8.  (trw  lyvl  €  mklset  dom(alistl)|  *  (open  epsilon  mklset)) 
;YV16MKLSET(D0M(ALIST1)) 

;deps:  (RC23  RC26) 


By  our  assumptions  is  in  range(alist). 
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9.  (rw  *  (use  rc25  mode:  exact  direction:  reverse) 

(use  rc22  mode:  exact)) 

; YV16MKLSET(RANGE(ALIST) ) 

;deps:  (RC21  RC23  RC25  RC26) 

10.  (rw  *  (open  epsilon  mklset)) 

; MEMBER ( YV 1 , RANGE ( AL I ST ) ) 

(label  rc28) 

;deps:  (RC21  RC23  RC25  RC26) 

By  applying  again  lemma  4  we  can  pick  ;C;  in  dom(alist)  such  that 

appalist(a;j  ,alistl)  = 


11.  (define  xvl  | member (xvl ,dom  alist)Aappalist(xvl ,alist)=yvl | 

(nonempty.domain  rc22  rc28)) 

(label  rc29) 

;deps:  (RC21  RC23  RC25  RC26) 

Apply  lemma  2: 

12.  (trw  |member(xvl ,dom(alist  m  alistl))!  *  (use  dom_compalist) ) 
;MEMBER(XV1,D0M(ALIST  m  ALISTl)) 

(label  rc30) 

;deps:  (RC21  RC23  RC25  RC26) 

Now,  by  rewriting,  we  derive 

c  =  appalist(appalist(.r; ,alist)  .alistl)  =  appalist(.t% .alist  oo  alistl). 


13.  (trw  |appalist(xvl .alist  m  alistl) |  rc29  rc30 

(use  app_compalist  rc29  rc27  mode:  always)) 

;APPALIST(XV1, ALIST  oo  ALIST1)*Z 
(label  rc31) 

;deps:  (RC21  RC23  RC25  RC26) 

We  have  to  check  that  r  is  not  the  default  value  of  appalist.  We  apply  Nonempty  Range: 

14.  (ue  ((alist. I alist  oo  alistl I ) (x. xvl))  nonempty.range 

(use  dom_compalist  rc22  rc30  mode:  always)) 

;  3Y.  MEMBER  (Y,  RANGE  (ALIST  oo  ALIST1))aAPPALIST(XV1  .ALIST  oo  ALIST1)=Y 
;deps:  (RC21  RC23  RC25  RC26) 

15.  (define  zvl  |member(zvl .range(alist  oo  alistl) )a 

appalist  (xvl  .alist  oo  alistl)=zvl|  *  ) 

(label  rc32) 

:deps:  (RC21  RC23  RC25  RC26) 

16.  (trw  |zvl=z|  rc31  (use  *  mode:  always  direction:  reverse)) 

;ZV1=Z 

:deps:  (RC21  RC23  RC25  RC26) 
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So  s  belongs  to  the  rangeCalist  co  alistl). 

17.  (trw  I member (z, rangeCalist  m  alistl)) I  rc32 

(use  *  mode:  exact  direction:  reverse)) 

; MEMBER (Z, RANGECALIST  m  ALISTl)) 

;deps:  (RC21  RC23  RC25  RC26) 

18.  (ci  rc26) 

;MEMBER(Z,RANGE(ALIST1))DMEMBER(Z, RANGECALIST  m  ALISTl)) 

;deps:  (RC21  RC23  RC25) 

19.  (trw  Imklset  range (alistl)Cmklset  rangeCalist  m  alistl) I  * 

(open  inclusion  mklset)  ) 

;MKLSET(RANGE(ALIST1))CMKLSET(RANGE(ALIST  m  ALISTi)) 

;deps:  (RC21  RC23  RC25) 

20.  (ci  (rc21  rc23  rc25)) 

;PERMUTP(ALIST)aPERMUTP(ALIST1)aMKLSET(D0M(ALIST))=MKLSET(D0M(ALIST1))D 
;MKLSET(RANGE(ALIST1))CMKLSET(RANGE(ALIST  m  ALISTI)) 

(label  range. compose) 


5.3.3.  Conclusion  of  the  Proof  of  Permutp  Compose. 


Now  we  conclude  the  theorem:  by  Lemma  Range  Compose  and  extensionality  we  show  that 

mklset (rangeCalist  oo  alistl))  =  mklset(range(alistl)) 

(line  7).  By  the  definition  of  permutp  and  the  assumption  that  the  alistl  and  alist2  are  pre¬ 
mutations  of  the  same  set  (line  3),  mklset  range(alistl)  is  equal  to  mklset  dom(alist).  An 
application  of  Lemma  2  (line  10)  is  enough  to  reach  the  conclusion. 

(proof  permutp.compalist) 

1.  (assume  Ipermutp(alist) I ) 

(label  permut.compl) 

2.  (assume  Ipermutp (alistl) I ) 

(label  pennut_comp2) 

3.  (assiune  |inklset(dom(alist))=mklset(dom(alistl))  I) 

(label  permut_comp3) 

4.  (derive  |inklset(range(alist  oo  alistl) )Cmklset(range(alistl)) A 

mklset(range(alistl))Cmklset(range(alist  oo  alistl)) | 
(permut.compl  permut.comp2  permut.comp3  range. compose)) 

;deps:  (PERMUT.COMPl  PERMUT_C0MP2  PERMUT.C0MP3) 

5.  (rw  *  (open  inclusion)) 

; (VXV . (MKLSET(RANGE( ALIST  oo  ALISTI) ) ) (XV) 3 (MKLSET(RANGE(ALIST1)  )  )  (XV)  )  A 
; (VXV. (MKLSET(RANGE(ALIST1))) (XV)D(MKLSET(RANGE(ALIST  m  ALISTI))) (XV)) 
;deps:  (PERMUT.COMPl  PERMUT.C0MP2  PERMUT.C0MP3) 
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6.  (derive  |Vxv. (mklset  range(alist  co  alistl) ) (xv)h 

(mklset  range(alistl)) (xv) I  *  ) 

Remember  Set  Extensionality. 

; labels:  SET.EXTENSIONALITY 
; (AXIOM  IVA  B. (VXV.XV€AsXV€B)3A=B|) 

7.  (ue  ((a.lmklset  range(alist  m  alistl) |) 

(b. Imklset  range (alistl) I )) 
set.extensionality 
*  (open  epsilon)) 

;MKLSET(RANGE(ALIST  m  ALISTl) )=MKLSET(RANGE(ALIST1) ) 

:deps:  (PERHUT.COMPl  PERMUT_C0MP2  PERHUT_C0MP3) 

(label  permut_comp4) 

8.  (rw  permut_compl  (open  permutp  functp)) 

: UNIQUENESS (DbM( ALIST) ) AMKLSET (DOM ( ALIST) ) =MKLSET(RANGE ( ALIST) ) 

(label  permut.compS) 

9.  (rw  permut_coinp2  (open  permutp)) 
;FUNCTP(ALIST1)aMKLSET(D0M(ALIST1))=MKLSET(RANGE(ALIST1)) 

10.  (trw  I uniqueness (dom(alist  oo  alistl))A 

mklset  dom(alist  m  alistl )®mklset  range(alist  m  alistl) I 
(use  dom_compalist  permut_comp4  mode:  exact)  permut_comp5 
(use  *  permut_comp3  mode:  always  direction:  reverse)) 
;UNIQUENESS(D0M(ALIST  m  ALIST1))a 

:MKLSET(DOM(ALIST  m  ALIST1))=MKLSET(RANGE( ALIST  oo  ALISTl)) 

;deps:  (PERMUT.COMPl  PERMUT_C0MP2  PERMUT_C0MP3) 

11.  (trw  |permutp(alist  oo  alistl) |  *  (open  permutp  functp)) 

;  PERMUTP  (ALIST  oo  ALISTl) 

;deps:  (PERMUT.COHPl  PERMUT_C0MP2  PERMUT_C0MP3) 

12.  (ci  (permut_compl  permut_comp2  permut_comp3)) 
:PERMUTP(ALIST)aPERMUTP(ALIST1)aMKLSET(D0M(ALIST))=MKLSET(D0M(ALIST1))O 
;  PERMUTP  (ALIST  oo  ALISTl) 

(label  permutp.compalist)  ■ 


5.4.  Associativity  of  Composition. 

To  show  that  composition  is  associative  is  very  straightforward.  Line  3  simply  helps  the 
rewriter  in  the  inductive  step  to  expand  the  antecedent  of  the  induction  formula  (line  4). 

Theorem  1  (ii)  {Compalist  Associativity) 

VALIST  ALISTl  ALIST2.MKLSET(RANGE(ALIST))CMKLSET(D0M(ALIST1))D 

ALIST  00  (ALISTl  oo  ALIST2)  =  (ALIST  oo  ALISTl)  oo  ALIST2 
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Proof. 

(proof  compalist.associativity) 

1.  (trw  |mklset(range((xa.y) .alist))Cmklset(dom  alistl)3 

memberCy ,doin  alistl)Amklset  range(alist)Cmklset  doin(alistl)  | 
(open  mklset  inclusion  range  member) 

(use  normal  mode:  always)) 

: HKLSET (RANGE ( (XA . Y) . ALIST) ) CMKLSET(D0H(ALIST1) ) D 
; MEMBER(Y , D0M(ALIST1 ) ) AMKLSET(RANGE( ALIST) ) CMKLSET(DOM (ALISTl ) ) 

2.  (trw  |member(y ,dom  alistl)Amklset  range (alist)Cmklset  dom(alistl)D 

mklset(range((xa.y) .alist))Cmklset(dom  alistl) I  (der) 

(open  mklset  inclusion  range  member) 

(use  normal  mode:  always)) 

3.  (derive  |mklset(range((xa.y) .alist))Cmklset(dom  alistl)s 

member(y,dom  alistl )Amklset  range (alist)Cmklset  dom(alistl)| 
(*  -2)) 

(label  helpinduction) 

4.  (ue  (chi  I Aalist .mklset (range  alist)Cmklset(dom  alistl) D 

alist  CD  (alistl  m  alist2)  =  (alist  (d  alistl)  cd  alist2|) 
ali St induct ion 

(part  1  (open  compalist)  (use  app.compalist  *  mode:  always))) 

; VAL 1ST . MKLSET ( RANGE ( AL I ST) ) CMKLSET ( D  OM ( ALI ST 1 ) ) D 
;  ALIST  CD  (ALISTl  (D  ALIST2)=(ALIST  oo  ALISTl)  a  ALIST2 

(label  compalist.associativity)  ■ 

5.5.  The  Identity  Alist. 


It  is  a  simple  matter  to  prove  that  an  alist  representing  an  identity  function  satisfies  the 
property  permutp. 

Theorem  2  (i)  (Idalistp  Permutp) 

VALIST . FUNCTP (ALIST) AIDALISTP (ALIST) 3PERMUTP (ALIST) 

Proof. 

1.  (ue  (chi  I Aalist. idalistp(alist)3dom  alist=range  alistl)  alist induction 

(open  idalistp  dom  range)). 

; VALIST. IDALISTP (ALIST) DDOM(ALIST)=RANGE(ALIST) 

2.  (trw  |Valist.functp(alist)Aidalistp(alist)3permutp(alist) I 

(open  functp  permutp) (use  *  mode:  always)) 

: VALIST. FUNCTP (ALIST) AIDALISTP ( ALIST) DPERMUTP( ALIST) 

(label  idalistp.permutp)  ■ 
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Using  the  same  “help’  for  the  rewriter  that  was  used  in  the  preceding  section  it  is  easy  to 
prove  the  main  theorem  for  right  identity.  We  prove  that  if  alistl  represents  the  identity  func¬ 
tion  i  and  alist  represents  a  function  /  (i  and  /  being  defined  on  the  right  domains),  then 
alist  m  alistl  =  alist,  i.e.  <  o  /  =  /. 

Theorem  2  (ii)  {[dalistp  Right) 

VALISTl . IDALISTP ( ALISTl) D 

(VALIST.MKLSET(RANGE(ALIST))CMKLSET(D0M(ALIST1))DALIST  oj  ALIST1=ALIST) 
Proof. 

3.  (assume  | idalistp(alistl) I ) 

4.  (ue  (chi  | Aalist .inklset(range(alist))Cinklset(dom(alistl))0 

(alist  00  alistl=alist)  1) 
alistinduction 
(part  1  (open  compalist)) 

(use  help induction  idalistp.main  *  mode:  always)) 

; VALIST . HKLSET(RANGE( ALIST) ) CMKLSET(D0M(ALIST1 ) ) DALIST  oo  ALIST1=ALIST 
;deps:  (4) 

5.  (ci  -2) 

;IDALISTP(ALIST1)D 

; (VALIST. MKLSET(RANGE(ALIST))CMKLSET(D0M(ALIST1))DALIST  co  ALIST1=ALIST) 
(label  idalistp.right)  ■ 


Left  identity  presents  a  different  kind  of  problem.  Here  we  pay  for  our  sins,  namely  for  the 
fact  that  our  representation  is  not  unique.  What  we  prove  is  that  if  alistid  is  idalistp  then 
alistid  00  alist  is  in  the  relation  samemap  with  alist.  The  proof  uses  the  main  fact  about 
identity  alist  (lemma  Main  Idalistp). 

Theorem  2  (iii)  {Left  Idalistp) 

VALIST. IDALISTP(ALISTID)aMKLSET(DOM(ALISTID))=MKLSET(DOM(ALIST))D 
SAMEMAP  (ALISTID  oo  ALIST,  ALIST) 


Proof. 

(proof  idalistp.left) 

1.  (assume  | idalistp  alistidi) 

(label  idal.ll) 

; ALISTID  is  unknown. 

;the  symbol  ALISTID  is  given  the  same  declaration  as  ALIST 

2.  (assume  Imklset  dom(alistid)=mklset  dom(alist)l) 

(label  idal_12) 

3.  (assume  |y€inklset(dom(alistid  oo  alist))!) 

(label  idal_13) 

4.  (rw  *  (use  dom.compalist  mode:  exact) (open  epsilon  mklset)) 
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(label  idal_14) 

;MEMBER(Y,DOM(ALISTID)) 

;deps:  (IDAL_L3) 

6.  (trw  |appalist(y,alistid  od  alist) I  (use  app.compalist  *  mode:  exact)) 
;APPALIST(Y.ALISTID  m  ALIST)=APPALIST(APPALIST(Y,ALISTID) .ALIST) 
(label  idal.15) 

; labels:  IDALISTP.MAIN 
;VALIST  Y. 

;  IDALISTP(ALIST)aMEMBER(Y,DOM(ALIST))DAPPALIST(Y,ALIST)=Y 

6.  (derive  |appalist(y,alistid)=y| 

(idalistp.main  idal.ll  idal_14)) 

;deps:  (IDAL.Ll  IDAL.LS) 

7.  (rw  idal_15  *  ) 

;APPALIST(Y,ALISTID  oo  ALIST) *APPALIST(Y, ALIST) 

;deps:  (IDAL.Ll  IDAL.LS) 

8.  (ci  idal.lS) 

;YeMKLSET(DOM(ALISTID  oo  ALIST) )D 
;APPALIST(Y,ALISTID  oo  ALIST) =APPALIST(Y, ALIST) 

(label  idal.ie) 

;deps:  (IDAL.Ll) 

9.  (trw  |mklset(dom(alistid  oo  alist) )=niklset  dom(alist)  I 

(use  dom.compalist  idal.l2  mode:  exact)) 

;MKLSET(DOH(ALISTID  m  ALIST) )=MKLSET(DOM(ALIST)) 

;deps:  (IDAL.L2) 

; labels:  SAMEMAPDEF 
; VALIST  ALISTl . SAMEMAP (ALIST , ALISTl ) s 
;  MKLSET(D0M(ALIST))=MKLSET(D0M(ALIST1))a 

;  (VY.Y€MKLSET(DOM(ALIST))D 

;  APPALIST( Y , ALIST) =APPALIST (Y .ALISTl ) ) 

10.  (trw  |samemap(alistid  oo  alist .alist) I  (open  samemap)  (idal  16  *)) 

; SAMEMAP (ALISTID  oo  ALIST. ALIST) 

;deps:  (IDAL.Ll  IDAL.L2) 

11.  (ci  (idal.ll  idal.l2)) 

; IDALISTP(ALISTID)aMKLSET(DOM(ALISTID) )=MKLSET(DOM(ALIST) )D 
;  SAMEMAP  (ALISTID  oo  ALIST.  ALIST) 

(label  idalistp.left)  ■ 


5.6.  Inverse  of  a  Permutation  is  a  Permutation. 


We  promised  short  proofs  for  the  inverse  operation  using  association  lists.  Et  voila! 
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Theorem  3.  (ii)  (Right  Invalist) 

VALIST . ALLP (AX . ATOM  X , RANGE(ALIST) ) AlN JECTP (ALIST) 3 
IDALISTPCALIST  oo  INVALIST(ALIST) ) 


Proof. 

(proof  invalist) 

1.  (ue  (chi  |Aalist.allp(Ax.atom  x,range(alist))Ainjectp(alist)3 

idalistp(cilist  ©  invalist(alist))  I ) 
alistinduction 
(part  1 

(use  adlpfact 

ue:  ( (phi . I  Ax . atom  xl ) (x.y) (u. [range  alisti))  ) 

(open  range  injectp  functp  uniqueness 

invalist  idalistp  compalist  appalist  assoc) 

(use  invalistsort  dom.invalist  compalist.lemraa  mode:  exact))) 
; VALIST . ALLP(AX . ATOM  X , RANGE (ALIST) ) AlN JECTP (ALIST) 3 
;  IDALISTP (ALIST  m  INVALIST(ALIST) ) 

(label  invalist.right)  ■ 


Theorem  3.  (iii)  (Left  Invalist) 

VALIST. ALLP (AX. ATOM  X,RANGE(ALIST))aIN JECTP (ALIST) 3 
IDALISTP(INVALIST(ALIST)  m  ALIST) 


Proof. 

2.  (assume  |allp(Ax.atom  x,range(alist)) I) 

3.  (ue  ((alist. linvalist(alist) |)(alistl. |alist|)(za.xa)(z.y)) 

compalist.lemma 

(use  *  invalistsort  range. invalist  mode:  exact)) 

; -iMEMBER(XA  ,D0M(ALIST)  )  3 

;INVALIST(ALIST)  oo  ((XA . Y) .ALIST)=INVALIST(ALIST)  m  ALIST 

4.  (ci  -2) 

; ALLP (AX. ATOM  X,RAMGE(ALIST))3 
; (nMEMBER(XA , D0M( ALIST) ) 3 

;  INVALIST (ALIST)  m  ((XA.Y) .ALIST) =INVALIST (ALIST)  oo  ALIST) 

5.  (ue  (chi  |Aalist.allp(Ax.atom  x,range(alist))Ainjectp(alist)3 

idalistp(invalist(alist)  oo  alist)  I ) 
alistinduction 

(part  1  (open  allp  range  injectp  functp  uniqueness 

invalist  compalist  appalist  assoc  idalistp) 
invalistsort  (use  range. invalist  mode:  exact)  (use  *  mode:  always))) 
; VALIST. ALLP (AX . ATOM  X ,RANGE(ALIST) ) AlNJECTP(ALIST)3 
;  IDALISTP (INVALIST( ALIST)  m  ALIST) 

(label  invalist. left)  ■ 

Part  (i)  of  Theorem  3  is  also  quite  easy.  We  need  first  a  Lemma,  to  make  sure  that 
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dom(invalist(alist)) 

is  made  of  atoms  only.  The  proof  of  this  lemma  is  a  simple  example  of  method  of  proof  frequently 
used  in  this  paper:  first  we  prove  a  property  of  lists  by  a  convenient  induction  and  then  we  derive 
a  property  of  sets  (i.e.  we  abstract  from  the  order  given  by  the  list). 

Lemma  (.4/omronf/e) 

VALIST . MKLSET (DOM (ALIST) ) =MKLSET (RANGE (ALIST) ) D 
ALLP(AX.AT0M  X,RANGE(ALIST)) 

Proof. 

(proof  atomrange) 

1.  (assume  |inklset(dom(alist))=inklset(range(alist))  I) 

(label  arl) 

2.  (ue  (chi  I Aalist.allp(Ax.atom(x) ,dom  alist)|) 

alistinduction 
(open  allp  dom)) 

; VALIST . ALLP ( AX . ATOM  X , DOM ( ALIST) ) 

(label  ar2) 

3.  (ue  ((phil. lAx.atom(x) |)(x.x)(u. Idom  alisti))  allp.elimination  *  ) 

: MEMBER (X, DOM ( ALIST) )DAT0M  X 

4.  (trw  Imklset  dom(alist)C(Ax.atom  x) I  *  (open  inclusion  mklset)  ) 
;MKLSET(DOM(ALIST))C(AX.ATOM  X) 

5.  (rw  *  (use  arl  mode:  exact)) 

; MKLSET (RANGE (ALIST) ) C (AX . ATOM  X) 

6.  (rw  ♦  (open  inclusion  mklset)) 

;VXV.MEMBER(XV,RANGE(ALIST))DATOM  XV 

7.  (ue  ((phil . I  Ax. atom  x|)(u. [range  alisti)) 

allp_introduction  *  ) 

; ALLP (AX. ATOM  X.RANGE(ALIST) ) 

8.  (ci  arl) 

;MKLSET(DOM(ALIST))=MKLSET(RANGE(ALIST))DALLP(AX.ATOM  X,RANGE(ALIST)) 
(label  atomrange)  ■ 

.\ow  we  can  prove 
Theorem  3.  (i)  (Pennutp  Invalist) 

VALIST . PERMUTP (ALIST) 3PERMUTP (INVALIST (ALIST) ) 

Proof.  By  our  application  of  the  Pigeon  Hole  Principle  we  know  that 


VALIST. PERMUTP ( AL I ST ) 3 1 N  JECTP (ALIST) 
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(see  Permutp  Injectp,  Section  4.3.5).  Lines  3  and  4  will  give  permutp(invalist(alist))  (line  10). 
using  the  fact  that 

(i)  dom(invalist(alist))  is  range(alist)  (line  6)  and 

(ii)  range(invalist (alist) )  is  dom(alist)  (line  7); 
these  are  true  because  of  our  Leinina  Atomrange  (line  5). 

(proof  permutp.invalist) 

1.  (assume  Ipermutp  alist I) 

(label  pivl) 

2.  (derive  linjectp  alist I (permutp.injectp  pivl)) 

;deps:  (PIVl) 

3.  (rw  *  (open  injectp)) 

; FUNCTP (ALIST) aUNIQUENESS (RANGE (ALIST) ) 

(label  piv2) 

4.  (rw  pivl  (open  permutp)) 
;FUNCTP(ALIST)aMKLSET(DOM(ALIST))=MKLSET(RANGE(ALIST)) 

(label  piv3) 

5.  (derive  | allp(Ax . atom  x,r<mge  alist) |  (atomrange  *)) 

(label  piv4) 

6.  (derive  |dom  invalist (alist) =range  alist |  (dom.invalist  *)) 

(label  piv5) 

7.  (derive  I  range  invalist (alist)=dom  alist I  (range.invalist  piv4)) 

(label  piv6) 

8.  (trw  (uniqueness  dom(invalist(alist)) |  piv2  (use  piv5)) 

; UNIQUENESS (DOM ( INVALIST (ALIST) ) ) 

(label  piv7) 

9.  (trw  (mklset  dom(invalist(alist))=mklset  range(invalist(alist) ) I 

piv3  (use  pivS  piv6)) 

; MKLSET (DOM (INVALIST (ALIST) ) ) =MKLSET (RANGE (INVALIST (ALIST) ) ) 

(label  piv8) 

10.  (trw  Ipermutp  invalist (alist) I  piv7  piv8 

(open  permutp  functp)  (use  invalistsort  piv4  mode:  exact)) 

; PERMUTP ( I NVAL I ST ( AL 1ST ) ) 

;deps:  (PIVl) 

11.  (ci  pivl) 

; PERMUTP (ALIST) DPERMUTP ( INVALIST (ALIST)  ) 

(label  permutp_invalist)  ■ 
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6.  Representation  using  Lists  of  Numbers. 


The  rest  of  this  paper  contains  the  proof  that  permutations  (of  a  finite  set)  form  a  group,  with 
functions  being  represented  by  lists  of  numbers. 


6.1.  General  Comments  on  the  Choice  of  the  LISP  Functions  or  Predicates. 

After  the  main  features  of  a  certain  representation  have  been  chosen,  many  variations  are 
possible,  iiot  all  equally  desirable.  Our  representation  of  permutations  by  lists  of  numbers  "lists 
the  range”  in  the  order  given  by  the  domain.  However,  given  a  1-1  finite  function  /?  :  N„  --  N  , 
we  could  have  “listed  the  domain”  in  the  order  given  by  the  range  We  could  represent  the 
operation  of  “applying  a  list  v”  to  a  number  k  in  the  domain  of  h  by  (An.position(v,n)) (k) 
where  position  gives  the  number  corresponding  to  the  (first)  position  of  the  number  n  in  the  list 
u.  Then  we  have 

positionCv,/:)  =  h{k). 

Our  representation  has  the  advantage  that  it  allows  the  representation  of  any  finite  function,  not 
only  injections  and  permutations. 

Given  a  certain  LISP  program,  different  formal  representation  are  possible.  For  instance,  when 
we  express  our  programs  in  the  language  of  EKL,  we  can  either  represent  them  as  functions  or  as 
predicates.  Logically  speaking,  the  representations  are  equivalent,  but  one  should  not  expect  the 
matter  to  be  irrelevant  for  automatic  proof  checking.  There  are  many  programs  computing  the 
same  function  and  many  properties  can  be  used  to  characterize  them. 

Sometimes  it  seems  quite  clear  what  we  need:  for  instance,  the  operation  of  composition  of 
two  functions,  represented  as  by  a  LISP  function,  should  be 

(define  compose  |Vu  v.u®v=mapcar(Ai .appl(u,i) ,v) I ) 

(label  composedef) 

or,  avoiding  mapcar, 

(define  compose  |Vu  v  x. (u®nil)=nilA 

(u®(x.v))=(nth(u,x)) . (u«v) | 

1 i St induct iondef ) 

(label  composedef) 

Given  our  definition  of  perm,  the  identity  function  for  permutations  of  ii  elements  is  the  list 
(1  ...  n).  The  most  obvious  recursive  programs  generating  it  are  represented  either  by 

(decl  (indent)  (type:  I ground-+ground I ) ) 

(define  ident  | Vn. ident (0)=nilA 

ident (n* )=ident (n)*list (nO I  inductive.def inition) 

where  *  is  the  LISP  function  append,  or  by 

t  This  representation  is  practical  only  if  h  is  indeed  a  permutation.  If  the  range  is  not  a 
segment  of  N  ,  we  would  need  some  place-holder  to  mark  the  places  not  in  the  range  of  h  —  and. 
of  course,  this  representation  doesn't  make  sense  if  h  is  not  1-1. 
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(define  identl  |Vn.identl(0)=nilA 

identl(n’ )=n’ . identl (n) I  induct ive.definit ion) 

(define  ident  |Vn.ident(n)=reverse(identl(n)) I ) . 

These  definitions,  however,  need  not  be  the  best  choice  from  the  point  of  view  of  automatic 
proof  checking.  For  we  will  try  to  construct  proofs  by  induction  on  numbers,  or  lists,  or  both.  The 
first  definition  would  be  all  right,  except  that  lists  are  defined  recursively  using  cons,  not  append, 
so  one  would  need  some  extra  lemmata  about  append.  The  second  definition  is  perhaps  worse, 
because  of  the  use  of  reverse.  One  can  use  the  standard  trick  of  introducing  an  auxiliary  function 
with  an  extra  parameter: 

(defax  identl  iVx  u  n  i . identl(i,0)=nilA 

ident l(i,n’ )=i . identl (i ’ ,n) I ) 

(label  identdefl) 

(define  ident  |Vn.ident(n)=identl(0,n) I) 

(label  identdef)  • 

If  we  want  to  introduce  identity  by  a  predicate,  we  may  be  tempted  to  follow  the  above 
definition: 

(decl  (identpl)  (type:  |ground»ground®ground-*truthval I ) ) 

(def2ix  identpl  |Vx  u  n  i.identpl(nil,i,n)Aidentpl(u,i,0)A 

identpl (x .u, i,n’ )=(x=iAidentpl (u,i’ ,n)) I ) 

(label  identdefl) 

(decl  (identp)  (type:  | ground->truthval I ) ) 

(define  identp  | Vu.identp(u)=identpl (u,0,length(u) ) I ) 

(label  identdef) 

The  definition  of  identpl  is  by  double  recursion  on  numbers  and  lists.  This  complicates  the 
subsequent  inductions. 

The  LISP  function  inverse  is  defined  using  fstposition  by  recursion  on  numbers: 

(defax  inversl 

|Vu  i  n.inversl(u,i,0)=nilAinversl(nil,i,n)=nilA 
inversl (u,i,n’ )=if  null(fstposition(u,i)) 
then  nil 

else  fstposition(u,i) .inversl(u,i’ ,n) I ) 

(label  inversdefl) 

(define  inverse  I Vu . inverse (u) =invers 1 (u , 0 , length (u) ) I ) 

(label  inversdef) 

One  could  represent  it  by  the  predicate: 

(defax  inverspl 

|Vu  V  i . (inverspl(nil,v,i)snull(v)vnull(fstposition(v,i)))A 

(inverspl(x.u,v,i)sx=fstposition(v,i)Ainverspl(u,v,i’)) I) 

(label  inversdefl) 

(define  inverse  I Vu . inversp (u , v) =inverspl (u , v , 0) I ) 

(label  inversdef) . 
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Notice  that  inverspl  is  defined  by  recursion  on  lists.  The  choice  of  the  definition  of  a  ruiictiou 
determines  the  form  of  induction  to  be  used  in  the  proofs.  (For  a  systematic  use  of  this  remark,  see 
Boyer  and  Moore  [1979].)  However,  the  principle  of  proof  is  by  no  means  u/nV/ue/y  determined  in 
this  way.  For  instance  two  objects  with  different  recursive  definitions  in  the  same  statement  may 
already  produce  a  puzzle.  Often  to  find  the  right  form  of  induction  is  a  nontrivial  contribution 
required  from  human  interaction.  Consider  one  of  our  main  facts,  say  the  theorem  Right  Inverse: 

Vu .perm(u) Du®inverse (u)=idGnt (length(u) ) 

If  we  have  defined  oiir  operations  as  functions,  the  function  compose  suggests  that  we  try  an 
induction  on  lists,  or  maybe  a  double  induction  on  lists  and  numbers,  since  inversl  aiid  identl 
are  defined  by  recursion  on  numbers.  This  cannot  work:  perm(x.u)  does  not  imply  perm(u). 

We  need  to  use  induction  locally,  with  respect  to  a  single  list.  We  must  assume  that  a  list 
is  a  permutation  and  prove  facts  about  it  by  scanning  it,  without  assuming  that  its  sublists  are 
permutations.  Nthcdr  Induction  is  such  a  local  form  of  induction: 

Vphi  u .phi (nil) A (Vn .n<length(u) 3 (phi (nthcdr (u ,n ^ ) ) 3 
phi(nth(u,n)  .nthcdr (u,nO ) ) )3phi(u) 

Yet  this  doesn't  solve  our  problem.  Since  inverse  and  ident  are  defined  by  recursion  on 
numbers,  a  promising  route  is  to  use  induction  on  numbers  instedid  of  lists  expand  the  definitions 
of  inverse  and  ident. 

Certainly  our  search  for  a  proof  strategy  is  not  a  blind  process  by  trial  and  errors,  guided  ])y 
some  hints  from  the  definition  of  the  objects.  We  have  a  purpose  and  an  intuitive  idea,  namely  to 
construct  the  identity  list  using  the  fact  that  for  all  n  less  than  the  length  of  u 

nth(u ,f stposition(u,n) )=n. 

Indeed  we  have  defined  inverse  through  f  stposition  in  order  to  do  this.  What  we  are  searching 
is  a  strategy  of  proof  that  accomplishes  it.  In  our  search  now  we  know  that  we  cannot  use  induction 
on  the  given  list  u.  To  use  induction  on  n  seems  intuitively  right:  our  theorem  asserts  that  two 
mathematical  objects  behave  like  the  identity  function,  i.e.  given  a  number  they  return  the  same 
number.  Our  proof  should  be  based  upon  this  property  of  the  identity  function. 

We  are  satisfied  with  such  intuitive  guidelines  in  interactive  proof  checking.  For  the  issue  here 
is  still  the  adequacy  of  representation,  and  not  the  automatic  heuristics  of  mathematical  proofs. 
Guided,  say,  by  the  above  remarks,  we  wdll  attempt  to  prove  by  induction  on  n 

perm(u) Am<length(u) 3 (u® inversl (u,m,n) )=identl (m,n) . 

and  we  ask  whether  this  is  the  best  strategy  for  an  effective  mechanical  simulation  of  the  intuitive 
proof. 

Further  remarks  may  give  suggestions  for  the  kind  of  improvement  we  are  interested  in,  namely 
the  improvement  of  the  efficiency  of  the  entire  proof. 

Since  we  want  to  see  that  two  lists  are  equal,  it  is  natural  to  use  the  lemma  Extensionaliiy  for 

lists: 


length  u=length  v3((Vi.i<length  u3nth(u , i) =nth(v , i) ) 3u=v) . 
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This  suggests  that  we  break  the  proof  in  two  parts,  proving  first  something  about  lengths  and 
second  something  about  nth  elements.  Indeed,  the  function  nth  may  be  the  linkimj  notion  that 
allows  to  choose  induction  on  numbers  rather  than  on  lists  as  the  basic  proof  strategy. 

If  we  choose  to  represent  our  operation  by  predicates,  it  is  not  convenient  to  use  the  predicates 
identpl  and  inverspl  (although  they  are  close  to  the  recursive  definition  of  our  programs).  It  is 
better  to  define  the  predicate  ‘u  is  the  identity'  as 

(defax  id  |Vu. id(u)s(Vn.n<length  uDnth(u,n)=n) I ) 

(label  id_def) 

and  "u  is  tlie  inverse  of  v'  as 

(defax  inv  |Vu  v . inv(u,v)s(Vn.n<length  uDnth(u,n)=fstposition(v,n)) I ) 
(label  invdef) 

Then  'u  is  the  composition  of  v  and  w’  becomes: 

(define  comp 

|Vu  V  w.comp(u,v,w)=length  u=length  wA 

(Vn.n<length  u3nth(u,n)=nth(v,nth(w,n))) I ) 

(label  compdef) 

The  proof  of  our  theorem  as 

Vu  V  w.perm(w)Ainv(u,w)Acomp(v,w,u)Alength  u=length  wDid(v) 

then  follows  simply  by  expanding  the  definitions,  without  a  need  of  complicated  inductions. 

We  consider  these  definitions  as  more  ‘abstract’  and  ‘extensional':  the  'intensional  (eatures  ol 
the  programs  computing  our  functions  are  abstracted  away.  Since  nth  is  the  function  that  interprets 
our  notion  of  application,  they  describe  the  properties  of  applications,  together  with  the  properties 
of  the  lists  used  in  our  representation. 

Therefore,  when  dealing  with  functions  instead  of  predicates,  it  is  convenient  to  prove  these 
definitions  as  basic  properties  of  our  functions,  rather  than  carrying  through  the  pioofs  diiectl\. 
We  follow  this  strategy  in  the  following  proofs.  In  the  representation  through  functions  we  will 
prove  the  lemmata  Nth  Compose,  Main  Id,  Main  Inv,  showing  that  our  functions  compose,  ident 
and  inverse  liave  the  properties  described  by  the  predicates  comp,  id  and  inv,  respectively. 

On  the  other  hand,  to  represent  the  operations  as  primitive  recursive  functionals  and  to  prove 
facts  by  the  corresponding  induction  is  in  many  cases  the  natural  choice:  very  often,  representing 
the  operations  by  functions,  rather  than  by  predicates,  allows  for  simpler  proofs.  (.‘Vn  clear  example 
is  the  proof  that  composition  of  permutations  is  associative). 

In  conclusion,  inspection  of  our  proof  should  be  convincing  evidence  that  the  following  strategy 
is  the  most  efficient  in  terms  of  the  overall  organization  of  the  material. 

1)  It  is  convenient  to  use  the  function  compose  to  represent  composition  of  functions,  for  the 
proof  of  associativity  is  much  shorter: 

2)  It  is  convenient  to  characterize  the  identity  permutation  by  the  predicate  id.  and  the 
predicate  inv  for  the  operation  of  inversion  of  permutations.  We  obtain  elegant  proofs  o!  the 
|)ro|)orties  ol  the  left  and  right  identity  and  of  left  and  right  inverse. 

d)  Finally,  we  can  easily  prove  that 


Vn . id (ident  n) 
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and 

Vu.perin(u)Dinv(inverse  u,u) 

Using  these  facts,  we  can  derive  theorems  2  and  3  for  the  specific  functions  ident  and  inverse  as 
corollaries. 

However,  in  order  to  give  the  most  convincing  evidence  for  the  gain  in  efficiency  obtained  in 
this  way,  we  will  consider  most  of  the  proofs  in  the  two  formulations.  Occasionally  we  will  show 
also  how  a  direct  proof  looks  like  in  the  representation  using  functions. 

6.2.  Definitions  of  Composition,  Identity,  Inverse. 


6.2,1.  Functions  as  Lists:  Using  Predicates. 


; definitions  of  composition, identity,  inverse  as  predicates 
(proof  comp^pred) 

; composition  of  functions 

1.  (decl  (comp)  (type:  Iground^ground^ground-^truthval  I )  (syntype:  constant) 

(bindingpower :  930)) 

2.  (define  comp 

|Vu  V  w.comp(u,v,w)=length  u=lGngth  wA 

(Vn.n<length  uOnth(u,n)=nth(v ,nth(w,n) ) ) | ) 

(label  compdef) 

;the  identity  function 

3.  (decl  (id)  (type:  Iground-^truthval  1 ) ) 

4.  (defax  id  I Vu. id(u)s(Vn.n<length  u3nth(u,n)=n) I ) 

(label  id.def) 

;the  inverse  of  a  function 

5.  (decl  (inv)  (type:  |ground®ground->truthval  I )) 

6.  (defax  inv  |Vu  v. inv(u,v)s(Vn.n<length  u3nth(u,n)=fstposition(v,«)) | ) 
(label  invdef) 

Remark.  Using  list  representation  for  functions  the  assumption  that  the  functions  are  defined 
on  the  same  domain  is  represented  by  the  condition  that  our  lists  have  the  same  length.  In  our 
situation  we  consider  permutations  of  a  finite  set.  We  assume  that  the  lists  are  of  a  fixed  length. 
We  characterize  u  as  the  composition  of  v  and  w  by  the  property 

(Vn.n<length  u3nth(u,n)=nth(v,nth(w,n) )) . 

In  order  to  speak  of  the  composition  of  u  and  w  we  have  to  add  the  condition  that 

length (u)=length(w). 

Similarly  for  the  inverse  of  a  function. 
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6.2.2.  Functions  as  Lists;  Using  Functions. 

If  every  element  of  u  is  a  number  less  then  length(v),  then  it  makes  sense  to  apply  v  to  earh 
element  of  u  (since  we  defined  appl(v,x)  to  be  nth(v.x)).  In  this  case  we  may  say  that  v  is 
defined  as  a  function  over  the  domain  u. 

(proof  comp.fnct) 

1.  (decl  def.appl  (type:  | ®u®@u-*truthval I ) ) 

2.  (define  def.appl  iVu  v.def_appl(v,u)Hallp(Ax.natnum(x)Ax<length(v) ,u) | ) 
(label  def_appl_f act) 

Composition  of  functions: 

3.  (decl  (compose)  (infixname:  |®l)  (type:  |ground®ground-*ground| ) 

(syntype:  constant) (bindingpower:  930)) 

4.  (define  compose  |Vu  v  x. (u®nil)=nilA 

(u®(x.v))=(nth(u,x)) . (u®v) I  listinductiondef ) 

(label  composedef) 

The  identity  function: 

5.  (decl  (identl)  (type:  | ground®ground-*ground I  ) ) 

6.  (defax  identl  |Vx  u  n  i.identl(i,0)=nilA 

identl(i,n’)=i-identl(i’ ,n) 1) 

(label  identdefl) 

■V  «• 

7.  (decl  (ident)  (type:  | ground-*ground | ) ) 

8.  (define  ident  | Vn . ident(n)=identl(0,n) I ) 

(label  identdef) 

The  inverse  of  a  function: 

9.  (decl  (inversl)  (type:  | ground®ground®ground-*ground | ) ) 

10.  (defax  inversl 

|Vu  i  n.inversl(u,i,0)=nilAinversl(nil,i,n)=nilA 

invers 1 (u , i ,n ’ ) =if  null (f stposit ion (u , i) ) 
then  nil 

else  fstposition(u,i) . inversl (u,i’ ,n) I ) 

(label  inversdefl) 

11.  (decl  (inverse)  (type:  | ground-*ground I ) ) 

12.  (define  inverse|Vu.inverse(u)=inversl(u,0,length(u)) I) 

(label  inversdef) 
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6.3.  Preliminaries. 

We  collect  here  facts  about  definiteness,  sort  and  length  of  the  lists  resulting  from  our  o|)er- 
ations  in  the  representation  using  functions.  We  prove  facts  about  concrete  LISP  programs  that 
perform  the  operations  ‘composing’  two  lists  and  taking  the  “inverse'  of  a  list:  hence  we  obtain 
more  information  than  in  the  proofs  using  predicates. 

Remark.  The  proofs  of  in  the  representation  by  functions  require  tedious  computations 
involving  the  function  minus.  Typically,  in  a  proof  by  induction  on  n,  for  n<length  u.  the  induction 
step  contains  an  e.xpression  like 

LENGTH  (INVERSKU,  (LENGTH  U-N’)  ’  .N))=N)) 

to  be  simplified  as 

LENGTH  (INVERSKU. LENGTH  U-N,N))=N)) 

Such  replacement  is  dependent  on  the  truth  of  the  clause  N<LENGTH  U. 

■  We  have  collected  in  the  proof  MINUS  a  sequence  of  facts  of  the  form 

; labels:  MINUSFACTIO 
VN  M.N<MDM-N=(M-N’)’ 

to  be  used  as  rewriters  in  similar  cases.  In  fortunate  situations  the  truth  of  the  condition  is 
immediately  recognized  by  the  decision  procedure.  Often  a  derivation  is  needed  from  other  facts, 
e.g.  from 


; labels:  LESS.LESSEQSUCC 
VM  N.M<N=M’<N 

and  we  may  need  to  do  the  substitution  ‘by  brute  force',  with  some  tediuju  and  pain. 


6.3.1.  Preliminaries:  Condition  for  Definiteness  and  Sorts  of  the  Functions. 


The  condition  for  v  to  be  applicable  to  u  as  domain  is  formulated  recursively  in  Dcf  App!  Fort. 
Now  we  give  a  sufficient  condition  for  Def  Appl  Fact. 

1.  (assume  linto  u|) 

2.  (assume  {length  u<length  v|) 

3.  (rw  -2  (open  into)) 

;VN.N<LENGTH  UDNATNUM(NTH(U,N) )aNTH(U,N)<LENGTH  U 

4.  (trw  |Vn.n<length  uDnatnum  nth(u,n)Anth(u,n)<length  v|  * 

(less_lesseq_factl  -2)) 

;VN.N<LENGTH  UDNATNUM(NTH(U,N))aNTH(U,N)<LENGTH  V 

5.  (ue  ((phil . I Ax.natnmn  xAx<length  v|)(u.u))  nth.allp  *  ) 
;ALLP(AX.NATNUM(X)aX<LENGTH  V.U) 

6.  (trw  Idef _appl(v,u) I  (open  def.appl)  *  ) 


;DEF.APPL(V,U) 


7.  (ci  (-6  -5)) 

;INTO(U)aLENGTH  U<LENGTH  VDDEF_APPL(V ,U) 

(label  def_appl_condition)  ■ 

In  particular,  the  same  condition  holds  for  permutations  of  the  appropriate  length. 

8.  (rw  def _appl_condition  (open  lesseq)  (use  normal  mode;  always)) 
;VU  V. (INTO(U)ALENGTH  U=LENGTH  VDDEF_APPL(V,U) ) A 

;  (INTO(U)aLENGTH  U<LENGTH  VDDEF_APPL(V.U) ) 

9.  (derive  Iperm  uAlength  u  =  length  vOdef_appl(v,u) I 
(def_appl_condition  *)(open  perm  onto)) 

(label  def_appl_conditionl)  ■ 

We  prove  that  the  results  of  our  operations  have  the  right  sorts, 
compose: 

10.  (ue  (phi  I Au.def _appl(v,u)Dlistp  v®u|)  listinduction 

(part  1  (open  def.appl  allp  compose  ))) 
;W.DEF_APPL(V,U)3LISTP  V®U 
(label  sortcomp)  (label  simpinfo)  ■ 

ident: 

11.  (ue  (a  lAn.Vm.listp  identl(m,n) | )  proof _by_ induction 

(open  ident 1)) 

;VN  M.LISTP  IDENT1(M,N) 

(label  ident_sortl)  (label  simpinfo)  ■ 

12.  (trw  iVn.listp  ident(n)|  (open  ident)  *  ) 

:VN.LISTP  IDENT(N) 

(label  ident.sort)  (label  simpinfo)  ■ 

inverse: 

13.  (ue  (a  lAn.Vi.listp  inversl(u,i,n) | )  proof _by_ induct ion 

(open  inversl)  posfacts) 

;VN  I.LISTP  INVERS1(U,I,N) 

(label  invers.sortl)  (label  simpinfo)  ■ 

14.  (trw  llistp  inverse(u) I  (open  inverse)  *  ) 

;LISTP  INVERSE (U) 

(label  inverse.sort)  (label  simpinfo)  ■ 
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6.3.2.  Preliminaries:  Length  of  Compose. 

Lemma  6.1.  {  Leiujlh  Compose) 

VU  W.DEF_APPL(W,U)DLENGTH  (W®U)=LEMGTH(U) 

Proof.  By  Nthcdr  Induction  applied  to  u.  For  u  =  NIL,  the  result  is  given  by  the  definition 
of  compose.  Assume  that 

lengthCw  ®  nthcdr(u,n’))=length(nthcdr(u,n’)), 

for  n'  less  than  length  (u).  We  would  like  to  have: 

lengthCw  ®  (nth(u,n) .nthcdr(u,n’ ))=length(nth(u,n) .nthcdr(u,n’ )). 

Since  nthCu.n)  is  always  an  S-expression,  we  can  apply  the  definition  of  compose;  the  left  hand 
side  becomes 

l6ngth(nth(w,nth(u,n)) . (w»nthcdr(u,n’ ) )  ). 

The  inductive  step  will  be  proved  if  we  show  that  the  terms  have  proper  sorts,  under  the  assumption 
of  line  1.  Lines  -3-9  do  this. 

(proof  length_compose) 

1.  (assume  |def_appl(w,u) | ) 

(label  l_c_l) 

2.  (rw  *  (open  def_appl)) 

(label  l_c_2) 

;ALLP(AX.NATNUM(X)AX<LENGTH  W.U) 

Since  w  is  defined  as  an  application  on  u  as  domain  (line  1),  nth(u,n)  is  a  natural  number  less 
than  length(w).  Therefore  nth(w,nth(u,n))  is  an  S-expression  (line  -5). 

3.  (assume  |n<length(u) I ) ) 

(label  l_c_3) 

4.  (ue  ((u.u) (x. |nth(u,n) I ) (phil . I Ax.natnum(x)Ax<length(w) I)) 

allp_elimination 

nthmember  sexp.nth  l_c_3  l_c_2) 

; NATNUM (NTH (U , N) ) aNTH (U , N) <LENGTH  W 
(label  l_c_4) 

5.  (trw  |sexp(nth(w,nth(u,n))) I  sexp.nth  l_c_4) 

;SEXP  NTH(W,NTH(U,N)) 

(label  l_c_sortl) 

6.  (ci  l_c_3) 

;N<LENGTH  U3SEXP  NTH(W,NTH(U,N)) 

(label  l_c_7) 
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Moreover,  w  is  defined  as  an  application  on  any  part  of  u,  since  it  is  defined  on  u  (using  MIp 
Nfhcdr).  Therefore,  using  Sortcomp,  we  see  that  w  ®  nthcdr(u,n’)  is  a  list. 

7.  (derive  | allp(Ax.natnuin(x)Ax< length  w,nthcdr(u,n’)) I 
(allp_nthcdr  l_c_2)) 

;  ALLP  ( AX .  N-ATNUM  (X )  AX<LENGTH  W  ,  NTHCDR (U .  N  ’ ) ) 

8.  (derive  |listp(w®nthcdr(u,n’)) 1  (*  sortcomp)) 

(label  l_c_sort2) 

9.  (ci  l_c_3) 

;N<LENGTH  UDLISTP  W®NTHCDR(U,N’ ) 

(label  l_c_8) 

The  result  follows  by  Nthcdr  Induction. 

10.  (ue  ((phi. |Au.length(w®u)=length(u) I ) (u.u)) 

nthcdr_ induct ion 

(part  1  (open  compose  length  ))  l_c_7  l_c_8) 

; LENGTH  (W®U)=LENGTH  U 

11.  (ci  l_c_l) 

;DEF_APPL(W,U)DLENGTH  (W®U)=LENGTH  U 
(label  length.compose)  ■ 


6.3.3.  Preliminaries:  Length  of  Ident. 

Lemma  6.2.  {Length  Ident) 

VU  N. LENGTH  ( IDENT (N))=N 
Proof. 

1.  (ue  (a  I  An.Xfta.length  identl(m,n)=nl  ) 

proof  _by_ induction 
(open  ident 1)) 

;VN  M. LENGTH  (IDENT1(M,N) )=N 

(label  length. ident 1)  (label  simpinfo) 

2.  (trw  I VN. LENGTH  (IDENT(N))=N|  *  (open  ident)) 
(label  length.ident)  (label  simpinfo)  ■ 
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6.3.4.  Preliminaries:  Length  of  Inverse. 

Lemma  6.3.  (Leiigthinverse) 

VU.PERM(U)DLENGTH  (INVERSE(U) )=LENGTH  U 

Remark.  Example  8.  It  may  be  instructive  to  consider  the  heuristics  of  the  proof.  The  first 
problem  is  to  find  the  appropriate  sublemma,  inverse  is  defined  in  terms  of  the  au.xiliary  function 
inversl  and  the  latter  is  defined  by  recursion  on  its  third  argument: 

; labels:  INVERSDEFl 

VU  I  N.INVERS1(U,I,0)=NILAINVERS1(NIL,I,N)=NILA 
INVERS1(U,I,N’)= 

(IF  NULL  FSTPOSITIONCU.I) 

THEN  NIL 

ELSE  FSTP0SITI0N(U.I).INVERS1(U,I’.N)) 

Hence  it  is  reasonable  to  try  a  proof  by  induction  on  n.  The  reader  should  see  why  it  is  not 
reasonable  to  try  induction  on  u.  We  assume  perm  u  and  try  to  prove 

(VN.N<LENGTH  UDLENGTH  (INVERSKU, LENGTH  U-N,N))=N) 

.-Vt  this  point  we  immediately  see  that 

(i)  the  base  case  follows  by  expanding  the  definitions; 

(ii)  in  the  inductive  step  fstpositionCu, length  u-n’)  will  not  be  null  since 

length  u-n'<length  u  and  onto(u): 

(iii)  to  apply  the  induction  hypothesis  in  the  inductive  step  we  need  the  lemma 

; labels:  SUCC.LESSEQ.LESSEQ 
VM  N.M’<NDM<N 

We  can  ask  EKL  to  prove  it  and  see  precisely  in  what  form  the  above  information  must  l)e 
presented  to  EKL  or  what  other  facts  we  may  have  overlooked. 

(ue  (a  |An.n<length  u31ength  inversl (u, length  u-n,n)=n|) 
proof _by_induction 
(open  inversl)  succ_lesseq_lesseq) 

;(VN.(N<LENGTH  UDLENGTH  (INVERSl (U, LENGTH  U-N,N))=N)D 
;  (N’<LENGTH  UD 

;  -iNULL  FSTPOSITION(U. LENGTH  U-N’)a 
;  LENGTH  (INVERSKU,  (LENGTH  U-N’ )’ ,N))=N)  )D 
:(VN.N<LENGTH  UDLENGTH  (INVERSKU, LENGTH  U-N,N))=N) 

This  test  informs  us  that  EKL  has  done  the  base  case  as  expected  and  has  expanded  the 
definition  of  inversl  in  the  induction  step.  In  both  cases  of  the  conditional  definition  of  inversl. 
the  definition  of  length  has  been  expanded  as  desired,  giving  0=n’  if 


(*) 


NULL  FSTP0SITI0N(U, LENGTH  U-N’) 
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and 

(**)  LENGTHdNVERSKU.  (LENGTH  U-NO’))=N 


otherwise:  so  the  clause  of  the  form  if  p  then  false  else  q  has  become  -ip  A  q. 

Now  we  are  confident  that  EKL  will  prove  the  negation  of  (★),  according  to  the  argiiiuent  given 
in  (ii)  above,  with  the  information  contained  in  Posfacts  and  Minusfactl  1: 

; labels:  SIMPINFO  POSFACTS 
VU  Y.(NULL  FSTPOSITION(U,Y)OiMEMBER(Y,U))A 
(MEMBER (Y , U) DNATNUM (FSTPOSITI ON (U , Y) ) ) A 
(NULL  FSTPOSITION(U,Y)VNATNUM(FSTPOSITION(U,Y))) 

; labels:  MINUSFACTll 
VN  M.M<NDN-M’<N 

and  that  EKL  will  see  that  the  induction  hypothesis  implies  (**),  if  we  add 

; labels:  MINUSFACTIO 
VN  M.N<MDM-N=(M-N’)’ 


In  both  cases  we  need  also 

; labels :  LESS.LESSEQSUCC 
;VM  N.M<N=M’<N 


etc.  The  details  of  the  proof  follow.  Q 
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Proof. 

1.  (assume  I  perm (u) I ) 

(label  lil) 

2.  (rw  lil  (open  perm  onto  into)) 

;(VN.N<LENGTH  UDNATNUM(NTH(U,N))aNTH(U,N)<LENGTH  U)a 
; (VN.N<LENGTH  UDMEMBER(N,U)) 

(label  li2) 

3.  (ue  ((u.|u|)  (y.lnl))  posfacts) 

;  (NULL  FSTPOSITION(U,N)3-.MEMBER(N,U))a 
;  (HEHBER.(N ,U) 3NATNUM (FSTPOSITION (U, N) ) ) 

4.  (derive  |n<length  uDnnull  fstposition(u,n) |  (3  li2)) 

(label  li3) 

5.  (ue  ((m.|n|)  (n.llength  uD)  minusfactll 

(part  1  (use  less_lesseqsucc  mode:  exact))) 

;N’<LENGTH  UDLENGTH  U-N’<LENGTH  U 

6.  (derive  |n’<length  uD-mull  fstposition(u, length  u-n’)l  (5  li3)) 
(label  li4) 

7.  (trw  |n’<length  u3(length  u-n’ ) ’=length  u-n| 

(use  minusfactlO) 

(use  less_lesseqsucc  mode:  exact  direction:  reverse)) 
;N’<LENGTH  UD (LENGTH  U-N ’ ) ’ =LENGTH  U-N 

8.  (ue  (a  |An.n<length  uDlength  (inversl(u, length  u-n,n))=n|) 

proof _by_induction 

(open  inversl)  (use  succ_lesseq_lesseq)  (use  7)  (use  li4)) 
;VN.N<LENGTH  UDLENGTH  (INVERSKU, LENGTH  U-N,N))=N 

9.  (ue  (n  I length  u|)  *  (open  lesseq)) 

; LENGTH  (INVERS1(U,0, LENGTH  U))=LENGTH  U 

10.  (trw  I length  inverse (u)=length  u|  (open  inverse)  *  ) 

; LENGTH  ( INVERSE (U) )=LENGTH  U 

;deps:  (LIl) 

11.  (ci  lil) 

;PERM(U)DLENGTH  (INVERSE(U) )=LENGTH  U 
(label  length inverse)  ■ 


Theorem  1:  Composition  of  Permutations. 
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6.4.1.  Using  predicates:  Composition  of  Permutations  is  a  Permutation. 


We  prove  the  following  theorem: 

Theorem  1  (Composition) 

(i)  VU  V  W.PERM(V)APERM(W)ALENGTH  V=LENGTH  WaCOMP(U,V,W)DPERM(U) 

(ii)  VU  V  W.C0MP(U,V,W)AC0HP(U1,V,W)DU=U1 

The  proof  of  (i)  is  long  but  not  hard. 

Proof.  Assume  that  v  and  w  are  permutations  (lines  1  and  2),  have  the  same  length  (line  3) 
and  u  is  the  result  of  ‘composing’  v  and  w  (line  4).  We  show  that 

(i)  u  is  into  (line  17)  and 

(ii)  u  is  onto  (line  32). 

(i)  is  a  matter  of  expanding  definitions.  If  m  is  less  than  the  length  of  u  (and  so  of  w  and  of  v). 
then  nth(w,m)  is  a  natural  number  less  than  the  length  of  v  (line  10)  and  nth(v,nth(w,m))  is  a 
natural  number  less  than  the  length  of  v  (line  11).  But  this  is  just  nth(u,m),  by  the  definition  of 
composition  (line  15).  ‘Intoness’  follows. 

; composition  of  permutation  is  a  permutation 
(proof  comp.perm) 

1.  (assume  Iperm(v)l) 

(label  cp.pml) 

2.  (assume  Iperm(w)l) 

(label  cp_pm2) 

3.  (assume  (length  v=length  w|) 

(label  cp_pm3) 

4.  (assume  1 comp(u,v,w) I ) 

(label  cp_pm4) 

Rewrite: 

5.  (rw  cp.pml  (open  perm  into  onto)) 

(label  cp_pm5) 

; (VN.N<LENGTH  VONATNUM(NTH(V,N))aNTH(V,N)<LENGTH  V)a 
; (VN.N<LENGTH  VDMEMBER(N,V)) 

6.  (rw  cp_pm2  (open  perm  into  onto)) 

(label  cp_pm6) 

;(VN.N<LENGTH  WDNATNUM(NTH(W,N))aNTH(W,N)<LENGTH  W)a 
; (VN.N<LENGTH  W3HEMBER(N,W)) 

7.  (rw  cp_pm4  (open  comp  )) 

(label  cp_pm7) 

;LENGTH  U=LENGTH  Wa(VN .N<LENGTH  U3NTH(U,N)=APPL(V,NTH(W,N))) 


.-V  straightforward  verification. 
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8.  (assume  |m<length(u) I ) 

(label  cp_pm8) 

9.  (rw  ♦  (use  cp.pmT  mode:  always)) 

(label  cp_pm9) 

;M<LENGTH  W 

10.  (derive  |natnum(nth(w,m) ) Anth(w,m)<length  v|  (cp^pmS  ♦) 

(use  cp.pmS  mode:  exact)) 

So  we  can  obtain  the  desired  result... 

11.  (trw  |NATNUM(NTH(V,NTH(W,M)))aNTH(V,NTH(W,M))<LENGTH  VI  (*  cp.pmS)) 

(label  cp^pmlO) 

...  and  open  appl  in  line  7 

12.  (derive  |nth(u,m)=nth(v,nth(w,m)) I  (cp.pm?  cp.pmS) 

(open  appl)  (use  -2)) 

13.  (rw  cp.pmlO  (use  *  mode:  exact  direction:  reverse)) 

; N ATNUM ( NTH (U , M ) ) ANTH (U , M ) <LENGTH  V 

(label  cp^pmll) 

14.  (trw  I  length  u=length  v|  (use  cp.pm7  cp^pmS  mode:  always)) 

; LENGTH  U=LENGTH  V 

15.  (rw  cp.pmll  (use  ♦  mode:  exact  direction:  reverse)) 

; N ATNUM (NTH (U , M) ) ANTH (U , M) <LENGTH  U 

;deps:  (CP.PMl  CP.PM2  CP.PMS  CP.PM4  CP.PMS) 

16.  (ci  cp.pmS) 

;M<LENGTH  U3NATNUM(NTH(U,M) ) aNTH(U,M)<LENGTH  U 

17.  (trw  I  into  u|  (open  into)  *  ) 

(label  cp.into) 

;INT0(U) 

;deps:  (CP.PMl  CP.PM2  CF.PM3  CP.PM4) 

The  second  part,  the  proof  of  (ii),  is  sligthly  more  complicated.  Any  m  less  than  the  length  of 
u  (and  so  of  v  and  of  w)  is  a  member  of  v  (line  19),  since  v  is  onto. 

18.  (rw  cp.pm9  (use  cp.pmS  mode:  exact  direction:  reverse)) 

;M<LENGTH  V 

19.  (trw  |member(m,v) I  (*  cp.pmS)) 

;MEMBER(M,V) 

(label  cp.pm20) 

Therefore  we  can  find  a  number  jv  less  than  the  length  of  v  such  that  in  is  the  jr-t.\\  element  of  v 
(line  21). 


20.  (derive  |3j . j<length(v)Anth(v, j)=m|  (*  member.nth)) 

(label  cp_pm21) 

;deps:  (CP_PM1  CP_PM3  CP_PM4  CP_PM8) 

21.  (define  jv  | jv<length(v)Anth(v, jv)=in|  *  ) 

(label  cp_pm22) 

.4gaiii,  .since  w  i.s  onto,  jw  is  a  member  of  w  (line  23). 

22.  (rw  *  (use  cp_pni3  mode:  exact)) 

;JV<LENGTH  WANTH(V, JV)=M 

23.  (trw  |member(jv,w) I  (*  cp_pm6)) 

; MEMBER (JV,W) 

.\nd  again  we  can  find  a  number  kv  less  than  the  length  of  w  such  that  j  v  is  the  A;i’-th  element  of 
w  (line  25). 

24.  (derive  |3k.k<length(w)Anth(w,k)=jv|  (*  member.nth)) 

;deps:  (CP.PMl  CP_PM2  CP_PM3  CP_PM4  CP_PM8) 


25.  (define  kv  |kv<length(w) Anth(w,kv)-jv|  *  ) 

(label  cp_pm23) 

So  m  is  nth(v,nth(w,kv))  (line  24):  but  this  is  just  nth(u,kv)  (line  30),  by  the  definition  of 
composition. 

26.  (rw  cp_pm22  (use  *  mode:  always  direction:  reverse)) 

; NTH (W , KV) <LENGTH  VaNTH ( V , NTH ( W , KV) ) =M 

(label  cp_pm24) 

27.  (trw  |kv<length(u) I  cp_pm23  (use  cp_pm7  mode:  always)) 

;KV<LENGTH  U 

(label  cp_pm25) 

28.  (trw  Inatnum  nth(w,kv) I  cp_pm23) 

;NATNUM(NTH(W,KV)) 

29.  (derive  |nth(u,kv)=nth(v,nth(w,kv)) 1  (cp_pra7  cp_pm25) 

(open  appl)(use  *)) 

30.  (rw  *  (use  cp_pm24  mode:  always)) 

;NTH(U,KV)=M 

The  last  equation  allows  us  to  apply  lemma  Nthmember  and  conclude  that  in  is  a  member  oi 
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31.  (derive  | member (m, u) |  nthmember 

cp_pm25  (use  *  mode:  exact  direction:  reverse)) 

;deps:  (CP_PM1  CP_PM2  CP_PM3  CP_PM4  CP_PM8) 

32.  (ci  cp_pm8) 

;M<LENGTH  UDMEMBER(M,U) 

(label  cp.onto) 

33.  (trw  I  perm  u|  (open  perm  onto)  cp.into  cp.onto) 

;PERM(U) 

;deps:  (CP.PHl  CP_PM2  CP_PM3  CP_PM4) 

34.  (ci  (cp_pml  cp_pm2  cp_pm3  cp_pm4)) 

;PERM(V)aPERM(W)aLENGTH  V=LENGTH  WaCOMP(U,V,W)DPERM(U) 

(label  perm_ compos it ion)  ■ 

Composition  of  functions  is  unique: 

35.  (trw  |comp(u,v,w)Acomp(ul,v,w)Du=ul|  (open  comp)  extensionality) 
;C0MP(U,V,W)aC0MP(U1,V,W)3U=U1 

(label  comp .uniqueness)  ■ 


6.4.2.  Using  Predicates:  Composition  is  Associative. 

Finally  we  prove  associativity: 

Theorem  1  (hi)  [Associativity  Pred) 

VU  U1  V  VI  W1  W2  W3.INT0(W3)ALENGTH  W2=LENGTH  W3A 

C0MP(V,W1,W2)AC0MP(U.V,W3)A 

C0MP(V1,W2,W3)aC0MP(U1,W1,V1)DU=U1 

Proof.  The  aim  is  to  apply  extensionality.  In  view  of  an  application  of  Extensionality  (line 
26),  we  want  to  prove  that  for  all  n  <  length(u) 

nth(u,n)  =  nth(ul,n). 

The  facts  needed  follow  from  the  definitions.  However,  a  lot  of  rewriting  is  required  not  only 
to  expand  definitions,  but  also  to  find  the  right  matching  (e.g.  see  the  derivation  of  line  16  from 
lines  10  and  15).  The  decision  procedure  is  often  applied,  since  the  definition  contains  a  conditional 
clause.  More  specifically,  we  have  to  perform  the  following  substitutions: 


nth(u,n)  =  nth(v,nth(w3,n) 

(line  10) 

if  n<length(u) 

=  nth(wl ,nth(w2,nth(w3,n)) ) 

(line  16) 

if  natnum(nth,w3) 

and  nth(w3,n)<length(v) 

=  nth(wl ,nth(vl ,n) 

(from  16,  18) 

if  n<length(vl) 

=  nth(ul,n) 

(line  23) 

if  n<length(ul). 
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It  would  take  a  lot  of  work  to  mechanically  perform  all  the  matching  involved  in  these  steps, 
if  all  possible  substitutions  had  to  be  attempted  at  random.  It  is  reasonable  to  expect  human 
guidance  of  the  proof  checker.  Therefore  one  cannot  expect  a  proof  in  few  lines. 

This  is  in  sharp  contrast  to  the  proof  using  functions,  consisting  of  few  straightforward  induc¬ 
tions  on  lists  and  numbers. 

(proof  comp_associatiye) 

1.  (assume  |into(w3)|) 

(label  cal) 

2.  (assume  [length  w2=length  w3|) 

(label  ca2) 

3.  (asstime  |comp(v,wl,w2)  I) 

(label  ca3) 

4.  (assume  |comp(u,v,w3) I) 

(label  ca4) 

5.  (assume  | comp(vl ,w2,w3) I) 

(label  ca5) 

6.  (assume  | comp(ul ,wl , vl) | ) 

(label  ca6) 

7.  (assume,  |n<length  u|)  ^ 

(label  'cW) 

8.  (rw  ca4  (open  comp)) 

;LENGTH  U=LENGTH  W3a(VN.N<LENGTH  U3NTH(U,N)=NTH(V,NTH(W3,N))) 

(label  ca8) 

;deps:  (CA4) 

9.  (derive  |n<length(w3) I  (ca7  ca8)) 

(label  ca9) 

;deps:  (CA4  CA7) 

10.  (derive  |nth(u,n)=nth(v,nth(w3,n)) I  (ca7  ca8)) 

(label  calO) 

;deps:  (CA4  CA7) 

11.  (rw  cal  (open  into)) 

;VN.N<LENGTH  W3DNATNUM(NTH(W3,N))aNTH(W3,N)<LENGTH  W3 
;deps:  (CAl) 

12.  (derive  |natnum(nth(w3,n) )Anth(w3,n)<length(w2) I  (ca9  *  ca2)) 

(label  call) 

;deps:  (CAl  CA2  CA4  CA7) 

13.  (rw  ca3  (open  comp)) 

;LENGTH  V=LENGTH  W2a(VN .N<LENGTH  V3NTH(V,N)=NTH(W1,NTH(W2,N))) 

(label  cal2) 
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;deps:  (CA3) 

14.  (derive  Inth(w3,n)<length(v) |  (call  cal2)) 

(label  cal3) 

;deps:  (CAl  CA2  CA3  CA4  CA7) 

15.  (derive  |Vn.n<length(v)Dnth(v,n)=nth(wl ,nth(w2,n)) I  cal2) 

(ue  (n  |nth(w3,n)|)  *  call  cal3) 
;NTH(V,NTH(W3,N))=NTH(W1,NTH(W2,NTH(W3,N))) 

;deps:  (CAl  CA2  CAS  CA4  CA7) 

16.  (rw  calO  (use  *  mode:  exact)) 

; NTH (U , N) =NTH ( W1 , NTH (W2 , NTH (W3 , N) ) ) 

(label  cal4) 

;deps:  (CAl  CA2  CA3  CA4  CAT) 

17.  (rw  ca5  (open  comp)) 

(label  ca20) 

;LENGTH  V1=LENGTH  W3a(VN .N<LENGTH  V13NTH(V1,N)=NTH(W2,NTH(W3,N))) 

18.  (derive  |nth(vl ,n)=nth(w2,nth(w3,n) ) I  (ca9  ca20)) 

(label  ca21) 

;deps:  (CA4  CAS  CAT) 

19.  (rw  ca6  (open  comp)) 

iLENGTH  U1=LENGTH  V1A(VN .N<LENGTH  U1DNTH(U1 ,N)=NTH(W1 ,NTH(V1 ,N))) 
(label  ca22) 

;deps:  (CA6) 

20.  (rw  ca9  (use  ca20  ca22  mode:  always  direction:  reverse)) 

;N<LENGTH  U1 

;deps:  (CA4  CAS  CA6  CAT) 

21.  (derive  |nth(ul ,n)=nth(wl ,nth(vl ,n) ) |  (ca22  *)) 

;deps:  (CA4  CAS  CA6  CAT) 

22.  (rw  *  (use  ca21  mode:  exact)) 

;NTH(U1.N)=NTH(W1,NTH(W2,NTH(W3,N))) 

(label  ca23) 

;deps:  (CA4  CAS  CA6  CAT) 

23.  (rw  cal4  (use  ca23  mode:  exact  direction:  reverse)) 
;NTH(U,N)=NTH(U1,N) 

;deps:  (CAl  CA2  CAS  CA4  CAS  CA6  CAT) 

24.  (ci  caT) 

;N<LENGTH  U3NTH(U,N)=NTH(U1 ,N) 

(label  ca24) 

;deps:  (CAl  CA2  CA3  CA4  CAS  CA6) 

25.  (trw  I length  u  =  length  ul|  (use  ca8  ca22  mode:  always) 

(use  ca20  mode:  always  direction:  reverse)) 

; LENGTH  U=LENGTH  U1 
;deps:  (CA4  CAS  CAS) 


26.  (ue  ((u.u)(v.ul))  extensionality  ca24  *  ) 
;U=U1 

;deps:  (CAl  CA2  CAS  CA4  CA5  CA6) 

27.  (ci  (cal  ca2  caS  ca4  ca5  ca6)) 
;INT0(W3)aLENGTH  W2=LENGTH  WSa 
;C0MP(V,W1,W2)aC0MP(U,V,W3)a 
;C0HP(V1,W2,W3)aC0MP(U1,W1.V1)DU=U1 
(label  associativity.pred)  ■ 


6.4.3.  Using  Functions:  the  Lemma  Nth  Compose. 

We  prove  first  the  lemma  Nth  Compose, i.e.  the  basic  property  of  composition,  that  was  taken 
as  definition  of  the  predicate  comp. 

Lemma  6.4.  (Nth  Compose) 

VU  N.DEF_APPL(V,U)aN<LENGTH  UDNTH(V®U,N)=NTH(V,NTH(U,N)) 

Proof.  By  double  induction  on  n  and  u: 

(proof  nth.compose) 

; labels:  DOUBLEINDUCTIONl 

;(VU  N  X.PHI3(NIL,N)aPHI3(U,0)a(PHI3(U,N)DPHI3(X.U,N’)))3 
;(VU  N.PHI3(U,N)) 

One  base’case  is  proved  by  list  induct  ion: 

1.  (ue  (phi  I Au.nnull(u)Adef_appl(v,u)Dnth(v®u,0)=nth(v,nth(u,0)) I ) 

listinduction 

(part  1  (open  compose  nth  def_appl  allp))  ) 

;VU.-.NULL  UaDEF_APPL(V,U)DCAR  (V®U)=NTH(V,CAR  U) 

(label  a_c_basel) 

...and  the  other  is  trivial.  So: 

2.  (ue  (phi3  Uu  n.def.appl(v,u)An<length(u)Dnth(v®u,n)=nth(v,nth(u,n) ) I ) 

doubleinduct ionl 

(part  1  (open  compose  def_appl  allp))  a_c_basel) 

;VU  M.DEF_APPL(V,U)aN<LENGTH  UDNTH(V«U,N)=NTH(V,NTH(U,N)) 

(label  nth.compose)  ■ 

Exercise.  Prove  Theorem  1  in  the  representation  by  functions 

VU  V.PERM  U  a  perm  V  A  LENGTH  U  =  LENGTH  V  3  PERM(U®V) 

using  directly  Tlieorem  1  (Composition) 

VU  V  W.PERM(V)aPERM(W)aLENGTH  V=LENGTH  WaCOMP(U.V,W)DPERM(U) 
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6.4.4.  Using  Functions:  Theorem  1. 


Theorem  1  (i)  (Perm  Compose) 

VU  V.PERM  U  A  PERM  V  A  LENGTH  U  =  LENGTH  V  D  PERM(U®V) 

The  proof  is  basically  the  same  as  in  Section  6.4.1.  It  can  be  found  in  the  Appendix. 

Theorem  1  (ii)  [Associativity  of  Composition) 

VU  V  W.PERM(V)aPERM(U)aLENGTH  V=LENGTH  ualength  W=LENGTH  UD 
(W®V)®U=W®(V®U) 

Proof  of  (ii)  By  listinduction  on  u: 

(proof  assoc.compose) 

1 .  (trw  Idef „appl(w,v)Adef_appl(v,u)3(w«v)®nil=w»(v®nil) I 

(open  compose)  sortcomp) 

(label  ass. comp. base) 

2.  (ue  (phi  I Au.def .appl(w,v)Adef _appl(v,u)3(w®v)®u=w®(v®u) I ) 

listinduction 

(part  1#2  (open  compose  def.appl  allp))  sortcomp  ass. comp. base 
(use  nth.compose  ue:  ((v.w)(u.v))  )  ) 

; VU . DEF. APPX  (W , V) ADEF. APPL (V ,U) 3 (W®V) ®U=W® ( V®U) 

(label  assoc.comp) 

In  particular,  the  conditions  of  definedness  are  satisfied  if  u  and  v  are  permutations  of  the 
same  length 

3.  (trw  |Vu  V  w.perm(v)Aperm(u)Alength  v=length  uAlength  w=length  u3 
(w®v)®u=w® (v®u) I  assoc.comp 

(use  def .appl.conditionl  ue:  ((u.u)(v.v))  ) 

(use  def .appl.conditionl  ue:  ((u.v)(v.w))  )) 

;VU  V  W.PERM(V)aPERM(U)aLENGTH  V=LENGTH  UaLENGTH  W^LENGTH  U3 
;(W®V)®U=W®(V®U) 

(label  associativity. of .composition)  ■ 

Compare  with  the  corresponding  result  using  predicates  (Section  6.4.2  ).  An  explanation  vvliy 
this  proof  is  much  simpler  is:  both  compose  and  def-appl  have  a  simple  definition  by  recursion 
on  lists.  The  lemma  and  the  theorem  can  be  proved  by  a  straightforward  double  induction  on  lists 
and  numbers.  On  the  other  hand,  when  composition  is  defined  as  a  predicate,  a  lot  of  rewriting  is 
required  to  expand  the  definitions  and  to  perform  the  right  substitutions,  and  the  decision  procedure 
is  often  applied  to  justify  conditional  rewriting.  This  cannot  be  done  in  a  few  lines. 


6.5.  Theorem  2:  The  Identity  Permutation. 
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.1.  Using  Predicates. 

We  have  the  following  theorem  about  identity: 
Theorem  2  (i)  ( Id  Perm) 

VU.ID(U)DPERM(U) 

Proof.  Intoness: 


;id  implies  perm 
(proof  idperm) 


1. 

(trw  |id(u)3into(u) 1  (open  id  into)) 
:ID(U)3INT0(U) 

(label  p_il) 

Ontoness: 

2. 

(assume  |id(u)l) 

(label  p_i2) 

3. 

(rw  *  (open  id)) 

;VN.N<LENGTH  UDNTH(U,N)=N 
(label  p_i3) 

4. 

(assume  |n<length  u|) 

(label  p_i4) 

5. 

(derive  | member (nth(u, n) ,u) |  (* 

nthmember) ) 

6. 

(derive  |meraber(n,u) I  (*  p_i4  p 

.13)) 

7. 

(ci  p_i4) 

;N<LENGTH  UDMEMBER(N .U) 

8. 

(derive  Iperm  u|  (p_il  p_i2  *) 

(open  perm  onto)) 

9. 

(ci  p_i2) 

;ID(U)DPERM(U) 

(label  id.perm)  ■ 

Right  and  left  identity  are  also  easy  consequences  of  the  definitions. 
Theorem  2  (ii)  {Right  Id) 

VU  V  W.ID(U)aCOMP(V,W,U)aLENGTH  W=LENGTH  UDV=W 
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Proof. 

(proof  identity.right) 

1.  (assume  lid(u)l) 

(label  id_rl) 

2.  (assume  |comp(v,w,u) I ) 

(label  id_r2) 

3.  (assume  I length  w=length  u|) 

(label  id_r3) 

4.  (rw  id_rl  (open  id)) 

;VN.N<LENGTH  UDNTH(U,N)=N 
(label  id_r4) 

5.  (rw  id_r2  (open  comp)) 

; LENGTH  V=LENGTH  Ua(VN.N< LENGTH  UDNTH(V,N)=NTH(W,NTH(U,N))) 

(label  id_r5) 

6.  (rw  *  (use  id_r4  mode:  always)) 

;LENGTH  V=LENGTH  Ua(VN.N<LENGTH  U3NTH(V.N)=NTH(W,N) ) 

(label  id_r6) 

7.  (trw  I length  v=length  w|  (use  id_r3  id.rS  mode:  always)) 

; LENGTH  V=LENGTH  W 

8.  (derive  |v=w|  (extensionality  id_r6  *)) 

9.  (ci  (id_rl  id_r2  id_r3)) 

;ID(U)aCOMP(V,W,U)aLENGTH  W=LENGTH  UDV=W 
(label  id.right)  ■ 

Theorem  2  (iii)  {Left  Id) 

VU  V  W.ID(U)aPERM(W)aLENGTH  W=LENGTH  UaCOMP(V,U,W)DW=V 
Proof. 

(proof  identity.left) 

1.  (assume  |id(u)|) 

(label  id.ll) 

2.  (assume  Iperm  w|)  1 

(label  id_12) 

3..  (assume  [length  w=length  u|) 

(label  id_13)  ^ 

4.  (assume  |comp(v,u,w) | ) 

(label  id_14) 
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5.  (rw  id_ll  (open  id)) 

;VN.N<LENGTH  UDNTH(U,N)=N 
(label  id_15) 

6.  (rw  id_14  (open  comp)) 

; LENGTH  V=LENGTH  Wa(VN . N<LENGTH  VDNTH(V,N)=NTH(U,NTH(W,N))) 
(label  id_16) 

7.  (rw  id_12  (open  perm  onto  into)) 

;(VN.N<LENGTH  WDNATNUM(NTH(W,N))aNTH(W,N)<LENGTH  W)a 
;(VN.N<LENGTH  WDMEMBER(N,W)) 

(label  id_17) 

8.  (trw  |Vm.m<length  uDnatnum(nth(w,m) )Anth(w,m)<length  u|  id_17 

(use  id_13  mode:  exact  direction:  reverse)) 

:VM.M<LENGTH  U3NATNUM(NTH(W,M) )aNTH(W,H)<LENGTH  U 
(label  id_18) 

VVe  can  apply  the  property  of  the  identity  function  u 

9.  (trw  |Vm.m<length  uDnth(u,nth(w,m))=nth(w,m) I  id_15  *  ) 

; VM . M<LENGTH  U3NTH (U , NTH (W ,M) ) =NTH(W , M) 

(label  id_19) 


We  will  use  extensionality 

10.  (assume  |m<length  v|) 

(label  id.llO) 

11.  (trw  |m<length  u|  * 

(use  id_13  id_16  mode:  exact  direction:  reverse)) 
;M<LENGTH  U 
(label  id.lll) 

12.  (derive  |nth(u,nth(w,m))=nth(w,m) I  (id_19  id_lll)) 

We  use  the  fact  that  v  is  the  composition  of  u  and  w 

13.  (derive  |nth(v,m)=nth(w,m) I  (id_16  id_110) 

(use  *  mode:  exact  direction:  reverse)) 

14.  (ci  id.llO) 

;M<LENGTH  VDNTH(V,M)=NTH(W,M) 

15.  (derive  |w=v|  (extensionality  id_16  *)) 

16.  (ci  (id.ll  id_12  id_13  id_14)) 

:ID(U)aPERM(W)aLENGTH  W=LENGTH  UaC0MP(V,U,W)DW=V 
(label  id.left)  ■ 
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6.5.2.  Using  Functions:  the  Lemma  Main  Id. 

The  main  result  about  the  ‘identity’  list  is  the  extensional  property  that  was  assumed 
definition  of  id. 

Lemma  6.5.  {Main  Id) 

VN.N<MDNTH(IDENT(M),N)=N. 

Proof.  First  we  show  the  following  fact,  Nthcdr  Ident,  by  induction  on  n: 

Vn .  n<inDnthcdr  ( ident  (m)  ,  n )  =ident  1  (n ,  m-n ) 

(line  8).  The  lemma  then  follows  easily. 

(proof  id_main) 

; id  main 

1.  (assume  |n<mDnthcdr(ident(m) ,n)=identl(n,m-n) I ) 

(label  id.mainl) 

2.  (assume  |n’<m|) 

(label  id_main2) 

3.  (derive  |nthcdr(ident(m) ,n)=identl(n,m-n) I 

(id_mainl  id_main2  succ_less_less) ) 

;deps:  (ID.MAINl  ID_MAIN2) 

Now  we  use  MinusfactlO  to  expand  the  definition  of  identl  in  the  right  member  of  the  equality, 

; labels:  MINUSFACTIO 
;VN  H.N<M3M-N=(M-N’) ’ 

4.  (rw  *  (use  minusfactlO  mode:  exact)  (open  identl) 

(use  id_main2  succ_less_less  mode:  exact)) 

; NTHCDR ( IDENT (M) ,N)=N.IDENT1(N’ ,M-N’ ) 

;deps:  (ID.MAINl  ID_MAIN2) 

The  inductive  step  is  concluded  by  the  use  of  Cdr  Nthcdr 

; labels:  CDR.NTHCDR 

:VU  N.CDR  NTHCDR (U,N)=NTHCDR(U,N’) 

5.  (trw  |nthcdr(ident  m,n’)| 

(use  cdr_nthcdr  mode:  exact  direction:  reverse) 

(use  *  mode:  exact)) 

;NTHCDR(IDENT(M) ,N’ )=IDENT1(N’ ,M-N’) 

6.  (ci  id_main2) 

; N ’ <MDNTHCDR( IDENT(M) , N ’ ) =IDENT1 (N ’ ,M-N ’ ) 

7.  (ci  id_mainl) 

; (N<MDNTHCDR(IDENT(H) , N) =IDENT1 (N ,M-N) ) D 
; (N’<MDNTHCDR(IDENT(M) ,N’)=IDENT1(N’ .M-N’)) 
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8.  (ue  (a  |An.n<mDnthcdr(id6nt(m) ,n)=identl(n,m-n)  I) 

proof _by_ induct ion 

(part  1#1  (open  minus  ident))  *  ) 

;VN.N<M3NTHCDR(IDENT(M) ,N)=IDENT1(N.M-N) 

(label  nthcdr_ident) 

To  finish  the  proof  of  the  lemma  we  use  again  MinusfactlO... 

9.  (rw  *  (use  minusfactlO  mode:  exact)) 

;VN.N<MDNTHCDR(IDENT(M) .N)=IDEWT1(N, (M-NO ’) 

...and  then  apply  Car  Nthcdr.  In  this  last  step  we  use  the  information  about  the  length  of  the 
ident  function  (see  Section  6.3.3)  in  simpinfo. 

; labels:  CAR.NTHCDR 

;VU  N.N<LENGTH  UDCAR  NTHCDR(U,N)=NTH(U,N) 

; labels:  SIMPINFO 
;VN. LENGTH  (IDENT(N))=N 

10.  (ue  ((u.lident  m|)(n.n))  car_nthcdr  (use  *  mode:  always)) 
;N<MDN=NTH(IDENT(M) ,N) 

11.  (trw  |Vn  m.n<m3nth( ident  m,n)=n|  ♦  ) 

(label  id.main)  ■ 

Exercise.  Prove  Theorem  2  in  the  representation  by  functions 
VU.UoIDENT (LENGTH  U)=U 
VU. INTO (U) DIDENT (LENGTH  U)»U=U 
using  directly  Theorem  2  (ii)  [Right  Id)  and  (iii)  [Left  Id) 

W  V  W.ID(U)aCOMP(V,W,U)aLENGTH  W=LENGTH  UDV=W 

VU  V  W.ID(U)aPERM(W)aLENGTH  W=LENGTH  UaCOMP(V.U,W)DW=V 


6.5.3.  Using  Functions:  Identity  is  a  Permutation. 

Using  the  above  lemma,  it  easy  to  prove  that  the  ‘identity’  list  is  a  permutation,  following  the 
pattern  of  the  proofs  in  Section  6.5.1. 

Theorem  2  (i)  [Perm  Ident) 


VN.PERM(IDENT(N)) 
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Proof. 

(proof  perm^ident) 

;only  ontoness  requires  some  help 

1.  (assume  |n<length  ident(m)l) 

(label  prm.idl) 

2.  (rw  ♦  (open  ident)) 

;N<M 

(label  prm_id2) 

Again  notice  that  the  fact  Length  Ident: 

VN. LENGTH  (IDENT(N))=N 
is  in  simpinfo. 

3.  (derive  |NTH(IDENT(M) ,N)=N|  (*  id.main)) 

4.  (derive  I member (nth (ident  m,n), ident  m) I 

(nthmember  prm.idl)  ) 

5.  (rw  *  (use  -2  mode:  exact)) 
;MEMBER(N,IDENT(M)) 

6.  (ci  prm.idl) 

; N<M3MEMBER(N , IDENT (M) ) 

7.  (trw  I Vn.perm(ident  n) I  (open  perm  into  onto) 

(use  id^main  mode:  always)  *  ) 
;VN.PERM(IDENT(N)) 

(label  perm.ident)  ■ 


6.5.4.  Using  Functions:  Right  Identity. 

Using  the  lemma  Main  Id  it  is  also  easy  to  show  that  ident  gives  the  right  identity. 

Theorem  2  (ii)  {Right  Identity) 

VU.U®IDENT(LENGTH  U)=U 

Remark.  Example  9.  We  give  two  proofs  of  this  Theorem,  as  evidence  of  our  claim  that  a 
presentation  through  abstract  lemmata  (Proof  i)  is  more  convenient  than  direct  verification  (Proof 
2).  The  convenience  is  not  simply  in  the  fact  that  the  first  proof  is  shorter  than  the  second:  rather 
it  lies  ill  that  we  use  the  lemmata  Nth  Compose  and  Main  Id,  having  many  other  applications, 
instead  of  proving  a  lemma,  of  intejest  only  in  this  context. 
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First  Proof. 

(proof  identity.right) 

1 .  (rw  perm_id  (open  perm  onto) ) 

; VN . INTO (IDENT(N) ) A(VN1 . N1<NDMEMBER(N1 , IDENT(N) ) ) 

; labels:  DEF.APPL.CONDITION 

;VU  V.INTO(U)aLENGTH  U<LENGTH  VDDEF_APPL(V ,U) 

2.  (ue  ((u.  lidentdength  u)  I )  (v.u)) 

def _appl_condition  *  (open  lesseq)) 

;DEF_APPL(U.IDENT(LENGTH  U)) 

; labels:  NTH.COMPOSE 

;vy  U  N.DEF_APPL(V,U)aN<LENGTH  UDNTH(V®U,N)=NTH(V,NTH(U,N)) 

3.  (ue  ((u.  lidentdength  u)  I  )  (v.u)  (n.n) )  nth_compose  * 

(use  id_main  mode:  exact)) 

:N<LENGTH  UDNTH(U®IDENT(LENGTH  U) ,N)=NTH(U.N) 

; labels:  EXTENSIONALITY 

;VU  V. LENGTH  U=LENGTH  Va(VI.I<LENGTH  UDAPPL(U, I)=APPL(V,I))3U=V 

4.  (ue  ((u. I u«ident (length  u)|)(v.u))  extensionality  (open  appl) 

(use  length, compose  -2  *)) 

;U®IDENT (LENGTH  U)=U 

Notice  that  this  proof  is  the  same  as  that  given  in  Section  6.5.1. 

Second  Proof.  Without  using  the  main  lemma,  we  can  prove  Right  Identity  by  proving  first 
Vn.n<length  uDu®identl (length  u-n,n)=nthcdr(u, length  u-n) . 

(proof  identity_right) 

1.  (ue  ((u.u) (n. I length  u|))  trivial.nthcdr  (open  lesseq)) 

;NTHCDR(U, length  U)=NIL 

2.  (trw  |u®identl(length  u,0)=NTHCDR(u, length  u) I  (open  identl  compose) 

(use  *  mode:  exact)) 

;U®IDENT1 (LENGTH  U,0)=NTHCDR(U, LENGTH  U) 

(label  irl) 

3.  (assume  |n<length(u)3u®identl (length  u-n, n)=nthcdr(u, length  u-n) I) 

(label  ir_hyp) 

4.  (assume  |n’<length  u|) (label  ir2) 

5.  (derive  |u®identl(length  u-n, n)=nthcdr(u, length  u-n) I 

(ir_hyp  ir2  succ_lesseq_lesseq) ) 

(label  ir3) 

6.  (derive  llength  u-(n’ )<length  u|  (minusfactll  less_lesseqsucc  ir2)) 
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(label  ir4) 

7.  (derive  | (length  u-n’) ’=length  u-n|  (minusfactlO  less_lesseqsucc  ir2)) 
(label  ir5) 

8.  (trw  |u®identl(length  u-(n’) ,n’)=nthcdr(u, length  u-(n’)) I 

(open  identl  compose) 

(use  nthcdr_cax_cdr  ue:  ((u.u) (n. I length  u-(n’)l))  mode:  exact) 
ir4  ir5  ir3) 

;U®IDENT1 (LENGTH  U-N’ ,N’)=NTHCDR(U,LENGTH  U-N’) 

;deps:  (IR.HYP  IR2) 

9.  (ci  ir2) 

;N’<LENGTH  U3U®IDENT1 (LENGTH  U-N’ ,N’ )=NTHCDR(U, LENGTH  U-N’) 

10.  (ci  ir_hyp) 

11.  (ue  (a  I An.n<length(u)Du®identl(length  u-n, n)=nthcdr(u, length  u-n)|) 

proof  _by_ induction 

(part  1#1  (open  minus))  irl  *  ) 

;VN.N<LENGTH  UDU®IDENT1 (LENGTH  U-N, N)=NTHCDR(U, LENGTH  U-N) 

The  theorem  follows  immediately: 

12.  (ue  (n  [length  u|)  *  (open  lesseq  nthcdr)  (use  n_less_n)) 

;U®IDENT1(0, LENGTH  U)=U 

13.  (trw  I u®ident (length  u)=u|  (open  ident)  *  ) 
jUelDENT (LENGTH  U)=U 

(label  identity .right)  ■ 


□ 

6.5.5.  Using  Functions:  Left  Identity. 


Similarly,  by  applying  the  Main  Lemma  for  Identity,  we  can  prove  that  ident  gives  the  left 
identity  by  following  the  pattern  of  the  proof  in  Section  6.5.1. 

Theorem  2  (iii)  {Left  Identity) 

W.INT0(U)OIDENT(LENGTH  U)®U=U 

Proof. 

(proof  identity.left) 

1.  (assume  linto  u|) 

(label  il_l) 

2.  (ue  ((u.u)  (v.  I  identdength  u)  I ) ) 

def _appl_condition 
*  (open  lesseq)) 

;DEF.APPL(IDENT(LENGTH  U) ,U) 
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(label  il_2) 

3.  (rw  il_l  (open  into)) 

;VN.N<LENGTH  UDNATNUM(NTH(U,N))aNTH(U,N)<LENGTH  U 

4.  (ue  ((v. I ident (length  u)|)(u.u))  nth.compose  il_2  * 

(use  id.main  ue:  ((n. |nth(u,n) |)(m. Ilength  u|))  )) 

;VN.N<LENGTH  U3NTH(IDENT(LENGTH  U)®U,N)=NTH(U,N) 

5.  (ue  ((u. I ident (length  u)®u|)(v.u))  extensionality 

(sortcomp  il_2  length.compose  ♦)  (open  appl)) 

; IDENT (LENGTH  U)®U=U 

6.  (ci  il_l) 

;INTO(U)DIDENT(LENGTH  U)®U=U 
(label  identity_left)  ■ 

It  is  completely  clear  that,  by  abstacting  the  main  property  of  identity,  we  obtain  a  uniform 
treatment,  of  all  the  parts  of  theorem  2  and  greatly  simplify  the  proofs.  Actually  the  present 
version  is  even  more  elegant  than  that  using  predicates,  since  the  expression  u®w  is  easier  to  read 
than  comp(v,u,w)  (for  humans  as  well  as  for  computer  programs). 


6.6.  Theorem  3:  the  Inverse  of  a  Permutation. 


6.6.1.  Using  Predicates:  the  Inverse  of  a  Permutation  is  a  Permutation." 

Theorem  3  { i )  ( Inv  Perm) 

VU  V.PERM(U)aINV(V,U)aLENGTH  V=LEMGTH  U3PERM(V) 

The  proof  of  this  theorem  is  obtained  by  expanding  the  definitions  and  making  appropriate 
substitutions,  in  the  style  of  Theorems  1  (i)  and  2  (i).  We  give  it  in  the  .Appendix. 


6.6.2.  Using  Predicates:  the  Right  Inverse  Theorem. 

Theorem  3  (ii)  [Right  Inverse) 

VU  V  W.PERM(W)aINV(U,W)aCOMP(V,W,U)aLENGTH  U=LENGTH  WDID(V) 

Proof.  .Assume  that  w  is  a  permutation  (line  1),  v  is  the  result  of  composing  u  and  u  (line  1). 
where  u  is  the  inverse  of  w  (line  2),  and  u  is  of  the  same  length  as  w  (line  3).  We  need  to  see  tliat 
for  all  m  <  length(v),  nth(v,77?.)  =  n?  (line  14). 

The  key  point  is  the  application  of  the  lemma  Nth  Fstposition  (line  13).  To  prepare  it,  we  liave 
only  to  expand  the  definitions  and  perform  the  right  substitutions. 
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nth(w,nth(u,m)  (by  line  7)  if  m<length(v)=length(u) 

nth(w,fstposition(w,m)))  (line  10) 

®  (line  13) 


;the  theorem  right  inverse 
(proof  inverse .right) 

1.  (assume  Iperm  w|) 

(label  invrl) 

2.  (assume  |inv(u,w)|) 

(label  invr2) 

3.  (assume  | length  u=length  w|) 

(label  invrS) 

4.  (assume  | comp(v,w,u) | ) 

(label  invr4) 

5.  (rw  invrl  (open  perm  onto  into)) 

;(VN.N<LENGTH  WDNATNUM(NTH(W,N))aNTH(W,N)<LENGTH  W)a 
;(VN.N<LENGTH  W3MEMBER(N,W)) 

(label  invrS) 

6.  (rw  invr2  (open  inv)) 

; VN . N<LENGTH  UDMTH (U , N) =FSTP0SITI0N ( W , W) 

(label  invrS) 

7.  (rw  invr4  (open  comp)) 

; LENGTH  V=LENGTH  Ua(VN.N<LENGTH  UDNTH(V,N)=NTH(W,NTH(U,N) ) ) 
(label  invr7) 

8.  (assume  |m<length  v|) 

(label  invrS) 

9.  (rw  *  (use  invr7  mode:  exact)) 

;M<LENGTH  U 

(label  invr9) 

10.  (trw  |nth(v,m)=nth(w,fstposition(w,m)) I  (invr7  *) 

(use  invr6  mode:  always  direction:  reverse)) 

:nth(v,m)=nth(w,fstposition(w,m)) 

(label  invrlO) 

11.  (rw  invr9  (use  invrS  mode:  exact)) 

;M<LENGTH  W 

12.  (derive  | member (m,w) |  (invrS  *)) 
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;labels:  NTH.FSTPOSITION 
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;VU  N.HEMBER(N,U)3NTH(U,FSTP0SITI0N(U,N))=N 

13.  (rw  invrlO  (use  nth_f stposition  *  mode:  always)) 
;NTH(V,M)=M 


14.  (ci  invrS) 

;M<LENGTH  V3NTH(V,M)=M 

15.  (trw  |id(v)|  (open  id)  *  ) 

;ID(V) 

16.  (ci  (invrl  invr2  invr4  invr3)) 
;PERM(W)aINV(U,W)aCOMP(V,W,U)aLEKGTH  U=LENGTH  WDID(V) 
(label  inv.right)  ■ 


6.6.3.  Using  Predicates:  the  Theorem  Left  Inverse. 

Theorem  3  (iii)  (  Left  Inv) 

VU  V  W.PERM(W)AINV(U,W)aCOMP(V,U.W)aLENGTH  W=LENGTH  UDID(V) 

Proof.  Assume  that  w  is  a  perm,  that  u  is  the  inverse  of  w,  v  is  the  result  of  composing  u  and 
w,  and  the  length(w)  =  length(u).  We  need  to  prove  that 

Vn.n<length(v)3nth(v,n)=n. 

Assume  that  7i  <  length  (v).  After  expanding  the  definitions  we  know  that 

length(v)  =  length(w), 

so  n  <  length(w)  and  n  <  length(u).  Similarly,  all  members  of  w  are  natural  numbers  less  than 
length(u)  (lines  9.  13).  So  the  sorts  are  verified  and  we  can  apply  the  definition  of  composition 
to  get 

nth(v,n)=nth(u,nth(w,n)) 

(line  14),  and  the  definition  of  inverse  to  obtain 

nth(u®w,n)=f stposition(w,nth(w,n) ) 


(line  1.5). 

We  want  to  conclude  that 


f stposition (w, nth (w,n))=n. 

This  need  not  be  true  if  in  w  there  are  several  occurrences  of  the  n-th  element.  However,  w  is  a 
permutation.  By  the  pigeon  hole  principle  w  is  injective;  we  can  apply  the  lemma  Ff:tpositinii  Xlh 
(lines  8.  16)  and  obtain  the  desired  conclusion  (line  19). 


140 


About  Permutations  in  Lisp  and  EKL 


(proof  compose_inverse_left) 

1.  (assume  Iperm(w)l) 

(label  invl_l) 

2.  (assume  |inv(u,w)|) 

(label  invl_2) 

3.  (assume  |comp(v ,u,w) I ) 

(label  invl_3) 

4.  (assume  | length (w)=length(u) I ) 

(label  invl_4) 

5.  (rw  invl_2  (open  inv)) 

; VN . N<LENGTH  UDNTH (U , N) =FSTP0SITI0N ( W , N) 

(label  invl_5) 

6.  (rw  invl_l  (open  perm  onto  into)) 

;(VN.N<LENGTH  WDNATNUM(NTH(W,N))aNTH(W,N)<LENGTH  W)a 
;(VN.N<LENGTH  WDMEMBER(N,W)) 

(label  invl_6) 

;deps:  (INVL.l) 

7.  (rw  invl_3  (open  comp)) 

: LENGTH  V=LENGTH  Wa(VN . N<LENGTH  VDNTH(V,N)=NTH(U,NTH(W,N) ) ) 
(label  invl_7) 

8.  (derive  |Vn.n<length  wDfstposition(w,nth(w,n))=n| 
(fstpositl^n.nth  perm.injectivity  uniqueness.injectivity 

invl.l  invl_6)) 

(label  invl_8) 

:deps:  (INVL.l) 

9.  (rw  invl_6  (use  invl_4  mode:  exact)) 

; (VN.N<LENGTH  UDNATNUM(NTH(W,N))aNTH(W,N)<LENGTH  U)a 
;(VN.N<LENGTH  U3MEMBER(N,W)) 

(label  invl_9) 

;deps:  (INVL.l  INVL_4) 

10.  (assume  |n<length  v|) 

(label  invl.lO) 

11.  (rw  *  (use  invl.7  mode:  always)) 

;N<LENGTH  W 

(label  invl.ll) 

:deps:  (INVL.3  INVL.IO) 

12.  (rw  ♦  invl.4) 

:N<LENGTH  U 
(label  invl_12) 

;deps:  (INVL.3  INVL.4  INVL.IO) 

13.  (derive  |natnum(nth(w,n))Anth(w,n)<length  u|  (invl_9  *)) 
(label  invl_13) 
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;deps:  (INVL.l  INVL_3  INVL_4  INVL.IO) 

14.  (derive  |NTH(V,N)=WTH(U,NTH(W,N)) 1  (invl_7  invl.lO)) 

(label  invl_14) 

;deps:  (IMVL_3  INVL.IO) 

15.  (rw  invl_14  (use  invl_5  ue:  ( (n. |nth(w,n) 1 ) )  invl_13  mode:  exact)) 
; NTH (V , N ) =FSTP0SITI0N ( W , NTH(W , N) ) 

(label  invl_15) 

;deps:  (INVL.l  INVL.2  INVL_3  INVL_4  INVL.IO) 

;want  to  apply  the  lemma  fstposition.nth 

16.  (rw  invl.15  (use  invl.8  invl.ll  mode:  always)) 

;NTH(V,N)=N 

;deps:  (INVL.l  INVL.2  INVL_3  INVL_4  INVL.IO) 

;and  so  V  is  the  identity  function 

17.  (ci  invl.lO) 

;N<LENGTH  VONTH(V,N)=N 

;deps:  (INVL.l  INVL_2  INVL_3  INVL_4) 

18.  (trw  lid  vl  (open  id)  *  ) 

;ID(V) 

;deps:  (INVL.l  INVL.2  INVL_3  INVL.4) 

19.  (ci  (INVL.l  INVL.2  INVL.S  INVL.4)) 
;PERM(W)aINV(U,W)aCOMP(V,U,W)aLENGTH  W=LENGTH  U3ID(V) 

(label  inv.left)  ■ 


6.6.4.  Using  Functions:  the  Lemma  Main  Inv. 

We  follow  the  same  strategy  for  the  proof  of  the  facts  about  the  inverse  operation.  First  we 
prove  the  main  extensional  property  of  inverse  (compare  with  the  definition  of  inv.  Sec  tion  6.2.1 ): 

Lemma  6.6.  (Main  Inv) 

VU  N.PERM  UaN<LENGTH  U0NTH(INVERSE  U,N)=FSTP0SITI0N(U,N) 
and  then  we  follow  the  proof  of  Theorem  3  in  Sections  6.6.1,  6.6.2  and  6.6.3  . 

Proof  of  the  Main  Lemma.  We  show  first  that  if  u  is  a  permutation,  then 

Vn.n<length  uDnthcdr(inverse(u) ,n)=inversl(u,n, length  u-n). 


(proof  inverse.main) 

1.  (assume  Ipenri  u|) 
(label  inv.mainl) 
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1  I'i 

V\6  need  to  clieck  (hat  fstposition  has  the  |)roi)er  value  on  the  intended  domain. 

2.  (rw  inv.ihainl  (open  perm  onto)) 

;INTO(U)a(VN.N<LENGTH  UDMEMBER(N ,U) ) 

(label  inv_main2) 

3.  (ue  ((u.u)(y.n))  posfacts)  4 

;  (NULL  FSTPOSITION (U,N)D-,MEMBER(N,U)) A 

; (HEMBER(N,U)DNATNUM(FSTPOSITION(U,N))) 

4.  (derive  |n<length  u3-inull  fstposition(u,n) |  (inv_main2  *)) 

(label  inv_main3) 

Next  we  give  the  inductive  argument  for  our  suhlemma: 

5.  (assume  |n<length  uD 

nthcdr(inverse(u) ,n)=inversl(u,n, length  u-n) I) 

(label  inv.mainS) 

6.  (assume  |n'<length  u|) 

(label  inv_main6) 

7.  (derive  |n<length  u|  (*  succ_less_less) ) 

(label  inv_main7) 

8.  (derive  Imull  fstposition(u,n)  |  (inv_main3  inv_main7)) 

(label  inv_main9) 

VVe  use  MinxnyfnctlO  to  expand  the  definition  of  inversl  in  the  right  member  of  the  equality. 

9.  (rw  inv.mainS 

(use  inv_main7  inv_main9) (open  inversl) 

(use  minusfactlO  mode:  always)) 

(label  inv.mainlO) 

:NTHCDR(INVERSE(U) .N)=FSTPOSITION(U,N) .INVERS1(U,N’ .LENGTH  U-N’) 

;deps:  (INV.MAINl  INV.MAINS  INV.MAIN6) 

We  lisp  Cdf  Xthrdr  to  conclude  the  inductive  step: 

: labels:  CDR.NTHCDR 

;VU  N.CDR  NTHCDR(U,N)=NTHCDR(U,N’ ) 

10.  (ue  ((u. {inverse  u|)(n.n))  cdr.nthcdr  (use  *  mode;  exact)) 

;INVERS1(U,N’ .LENGTH  U-N’)=NTHCDR(INVERSE(U) .N’) 

;deps;  (INV.MAINl  INV.MAINS  INV.MAINS) 

11.  (ci  inv.mainB) 

;N’<LENGTH  UDINVERSl (U.N’ .LENGTH  U-N’ )=NTHCDR( INVERSE (U) .N’ )  *■ 

12.  (ci  inv.mainS) 

13.  (ue  (a  iAn.n<length  uDnthcdr(inverse(u) .n)=inversl(u,n. length  u-n) I) 

proof .by.induction  (part  1#1  (open  inverse  minus))  *  ) 

;VN.N<LENGTH  U3NTHCDR(INVERSE(U) .N)=INVERS1(U.N. LENGTH  U-N) 

;deps:  (INV.MAINl) 


SlCCTiON  f) 


The  main  lemma  follows.  We  use  again  MintisfarUO  to  e.xpaiul  the  definition  of  inversl... 

14.  (rw  *  (use  minusfactlO  mode;  exact)  (open  inversl) 

(use  inv.,main3  mode:  always)) 

;VN.N<LENGTH  UD 

;NTHCDR(INVERSE(U),N)=FSTPOSITION(U,N) .INVERS1(U,N’ .LENGTH  U-N’) 
;deps:  (INV.MAINl) 


...and  then  Car  Nthcdr. 

; labels;  CAR.NTHCDR 

;VU  N.N<LENGTH  U3CAR  NTHCDR(U,N)=NTH(U,N) 

15.  (ue  ((u. linverse(u) I )(n.n))  car.nthcdr 

(use  *  lengthinverse  inv_mainl  mode:  always)) 

;N<LENGTH  UDFSTPOSITION(U,N)=NTH(INVERSE(U) ,N) 

;deps;  (INV.MAINl) 

16.  (ci  inv.mainl) 

;PERM(U)D(N<LENGTH  UDFSTPOSITION(U,N)=NTH(INVERSE(U) ,N)) 

17.  (derive  |Vu  n.perm  uAn<length  uDnth(inverse  u,n)=f stposition(u ,n) I  *  ) 
(label  inv.main)  ■ 


Exercise.  Prove  Theorem  3  in  the  representation  by  functions 
VU . PERM (U) DU®INVERSE (U) =IDENT (LENGTH (U) ) 

VU. PERM (U) 3 INVERSE  U®U= I DENT (LENGTH  U) 
using  directly  Theorem  3  (ii)  (Right  Inverse)  and  (iii)  (Left  Inv) 

VU  V  W.PERM(W)aINV(U,W)aCOMP(V,W,U)aLENGTH  U=LENGTH  W3ID(V) 
VU  V  W.PERM(W)aINV(U,W)aCOMP(V,U,W)aLENGTH  W=LENGTH  U3ID(V) 


6.6.5.  Using  Functions:  the  Inverse  of  a  Permutation  is  a  Permutation. 


Theorem  3  (i)  (Perm  Inverse) 

VU . PERM (U) 3PERM (INVERSE (U) ) 

Theorem  3  (ii)  (Right  Inverse) 

VU . PERM (U) DU®INVERSE (U) =IDENT (LENGTH (U) ) 


Theorem  3  (iii)  (Left  Invcrs(  ) 

VU,PERM(U)DINVERSE  U®U= I DENT (LENGTH  U) 
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Proof  of  Theorem  3  (i).  The  first  part  of  the  Theorem  is  the  proof  of  the  following  fact.  Inr 

Into: 

VU.PERM(U)DINTO(INVERSE(U)) 

(proof  inverse_penn) 

1.  (assume  Iperm(u)l) 

(label  inv_pl) 

2.  (rw  *  (open  perm  onto)) 

;INTO(U)a(VN.N<LENGTH  U3MEMBER(N,U)) 

(label  inv_p2) 

3.  (ue  ((u.u)(y.n))  posfacts) 

;(MULL  FSTPOSITION(U,N)D-iMEHBER(N,U))a 
: (MEHBER(N,U)DNATNUM(FSTP0SITI0N(U,N))) 

4.  (derive  |Vn.n<length  uD 

natnum  f stposition(u,n)Afstposition(u,n)<length  u| 

(inv_p2  *  pos.length)) 

(label  inv_p3) 

5.  (derive  |Vn.n<length  uD 

nth(inverse  u,n)=f stposition(u,n) | 

(inv_main  inv_pl)) 

(label  inv_p4) 

6.  (rw  inv_p3  (use  *  mode:  always  direction:  reverse)) 

;VN.N<LENGTH  UDNATNUM (NTH ( INVERSE (U) ,N) ) ANTH(INVERSE(U) ,N)<LENGTH  U 

7.  (trw  I  into  inverse(u) I  * 

(open  into)  (use  lengthinverse  inv.pl  mode:  exact)) 

;INT0(INVERSE(U)) 

(label  into.inverse) 

8.  (ci  inv_pl) 

;PERM(U)DINT0(INVERSE(U)) 

(label  inv_into) 


The  second  part  of  the  theorem  is  the  proof  that  inverse(u)  is  onto,  still  under  the  assumption 
that  perm(u)  (line  1). 

9.  (rw  inv_pl  (open  perm  into  onto)  ) 

;(VN.N<LENGTH  U3NATNUM(NTH(U,N))aNTH(U,N)<LENGTH  U)a 
;(VN.N<LENGTH  UDMEMBER(N,U)) 

(label  inv_plO) 

10.  (derive  | length  inverse (u)=length  u|  (inv_pl  lengthinverse)) 

(label  inv_pll). 

11.  (assume  |n<length  inverse(u)l) 
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(label  inv_pl2) 

12.  (rw  *  (use  inv_pll  mode:  exact)) 

;N<LENGTH  U 

(label  inv_pl3) 

We  can  apply  the  main  property  of  the  inverse  function... 

13.  (ue  (n  lnth(u,n)l)  inv_p4  (use  inv.plO  *  mode:  always)) 

; NTH ( INVERSE (U) , NTH(U , N) ) =FSTP0SITI0N (U , NTH (U , N ) ) 

(label  inv_pl4) 

.the  conseciuence  of  the  Pigeon  Hole  principle... 

14.  (derive  I  in j  u|  (inv_pl  perm.injectivity)) 

.the  basic  fact  Fstposition  Nth... 

15.  (derive  |fstposition(u,nth(u,n))=n| 

(fstposition.nth  uniqueness.injectivity  *  inv.plO  inv_pl3)) 

16.  (rw  inv_pl4  (use  *)) 

; NTH ( INVERSE (U) , NTH (U , N ) ) =N 
(label  inv_pl5) 

.and  the  lemma  Nthmember... 

17.  (derive  Inatnum  nth(u,n)Anth(u,n)<length  inverse(u) I 

(inv_plO  inv_pll  inv_pl3)) 

18.  (trw  |member(nth(inverse  u, nth (u, n) ), inverse  u) I 

(nthmember  *)) 

;MEMBER(NTH (INVERSE (U) ,NTH(U,N)) ,INVERSE(U)) 

.to  conclude: 

19.  (rw  *  (use  inv_pl5)) 

; MEMBER ( N , INVERSE (U) ) 

;deps:  (INV.Pl  INV_P12) 

20.  (ci  inv_pl2) 

;N<LENGTH  ( INVERSE (U) ) DMEMBER(N , INVERSE (U) ) 

(label  onto.inverse) 

21.  (trw  Ipermdnverse  u)  I  (open  perm  onto) 

into_inverse  onto.inverse) 

; PERM ( INVERSE (U)) 

22.  (ci  inv.pl) 

; PERM (U) 3PERM ( INVERSE (U) ) 

(label  perm.inverse)  ■ 

The  proofs  of  the  other  parts  of  Theorem  3  are  given  in  the  .\pi)endi.x. 
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7.  Conclusion. 


The  reiiiark.s  made  in  the  Introduction  and  in  the  text,  especially  in  Section  6.1.  are  relevant 
to  the  heuristics  of  automatic  theorem  proving  and  apply  at  three  stages  of  the  enterprise  of 
mechanically  representing  mathematical  facts. 

■  First,  the  choice  of  a  representation  determines  the  basic  strategy  of  proof.  It  is  certainly 
reasonable  to  .search  for  a  representation  that  allows  simple  recur.sive  definitions  of  the  basic  objects 
and  hence  relatively  simple  proofs  by  induction  on  those  recursive  definitions.  For  this  reason 
our  repre,sentation  using  association  lists  is  particularly  attractive.  However,  there  may  be  other 
reasons  suggesting  a  different  representation.  In  our  case,  we  considered  the  representation  bv  lists 
of  numbers  since  it  has  the  property  of  uniqueness. 

Since  EKL  uses  higher  order  language,  it  does  not  restrict  us  to  a  particular  kind  of  representa¬ 
tion:  if  recursive  definitions  are  not  available,  or  not  convenient,  we  may  give  abstract  definitions 
and  carefully  organize  the  argument  so  that  appropriate  mathematical  or  logical  principles  apply. 
As  a  very  simple  example,  discussing  the  choice  of  predicates  or  of  functions  in  the  representation 
PERM?  and  PERMF  we  weighted  two  approaches:  explicit  definitions,  derivations  by  logic  inferences 
and  term  sul)stitutions  directed  by  the  user  versus  recursive  definitions,  proofs  by  induction  and 
logic  inference  replaced  by  rewriting.  V\'e  considered  advantages  and  limitations  of  the  two  methods 
and  saw  how  a  judicious  combination  of  them  may  give  the  best  results.  At  the  end  of  Section  6.1. 
we  outlined  the  optimal  choice  of  definitions  and  the  most  effective  proof  strategy. 

Moreover.  EKL  allows  us  to  ])rove  abstract  mathematical  facts  that  are  independent  of  the 
particular  representation:  the  Pigeon  Hole  principle  was  proved  in  second  order  arithmetic  and 
then  applied  to  different  representations.  In  general  there  is  no  doubt  that  an  essential  advantage 
in  proving  correctness  of  programs  is  given  by  access  to  abstract  mathematical  knowledge. 

■  Even  wiien  the  main  strategy  of  proof  is  chosen,  different  choices  may  be  i)ossible  for  the 
Lemmata.  One  can  use  EKL  as  an  heuristic  aid  and  try  to  find  a  proof  by  trial  and  error,  reduce 
the  task  to  some  lemmata,  try  to  prove  the  Lemmata,  etc.  (An  example  is  given  in  the  proof 
Lengthinvcrse.  Section  6.3.4  .)  A  warning  has  to  be  made  against  this  procedure:  EKL  will  bo 
extremely  helpful  in  reminding  us  of  many  details  we  usually  take  for  granted,  but  we  are  not  yet 
ready  to  dismiss  pencil  and  paper  as  obsolete:  indeed  it  will  save  us  a  lot  of  time  to  work  out  a 
fairly  detailed  proof  by  4)011011  and  paper'  before  starting  our  interaction  with  EKL. 

Let  us  say  that  a  proof  is  ‘trivial’  when  the  recursive  definition  of  the  basic  objects  and  the 
statement  of  the  theorem  determine  not  only  the  main  strategy  of  proof  of  the  theorem,  luit  also  a 
natural  choice  of  the  lemmata  and  strategies  for  their  proofs.  Presumably,  for  such  ‘triviaF  proofs 
some  development  of  Boyer  and  Moore's  techniques  will  allow  entirely  automatic  heuristics. 

There  is  no  rea.son  to  think  that  given  a  simple  recursive  definition  of  some  basic  objects,  one 
will  always  find  'triviar  proofs  by  induction.  Often  the  choice  of  the  Lemmata  will  not  be  obvious. 
Sometimes  the  lemmata  suggested  by  the  recursive  definition  of  the  objects  and  by  the  statement 
of  the  theorem  In-  no  means  are  the  most  convenient  or  the  most  perspicuous. 

Consider  for  instance  our  definition  of  inverse,  using  inversl  and  fstposition:  the  functions 
involved  here  cannot  be  considered  extremely  dilficult  as  LISP  programs.  However,  there  is  room 
for  discussion  on  how  to  choose  and  to  prove  the  lemmata.  Indeed,  as  we  argued  in  the  text,  the 
best  choice  seems  to  be  to  consider  the  abstract  properties  of  the  functions  ident  and  inverse, 
and  provi'  them  as  lemmata.  These  properties  are  immediately  recognized  when  we  formulate  the 
identity  function  and  the  operation  of  function  inversion  more  abstractly  as  predicates.  They  are 
not  the  ones  that  come  to  mind  first  if  we  try  to  prove  the  theorems  by  expanding  the  d('finitions. 
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■  Finally,  there  is  still  room  for  choice  at  the  stage  of  performing  single  inductive  proofs, 
when  the  necessary  lemmata  have  been  ])roved.  One  may  try  to  obtain  the  proof  in  a  single  liiu'.  by 
rewriting  or  expand  the  proof  by  using  explicitly  the  logic  decision  procedure  in  the  style  of  Natural 
Deduction.  The  heuristics  of  single  proofs  has  been  extensively  discussed  in  the  Conclusion  of  Part 
I,  Section  2.13. 

Remark.  Example  10.  To  consider  the  different  options  available  in  carrying  on  a  relatively 
long  proof,  let’s  look  at  the  problem  of  formalizing  the  Lemma  in  Section  1.4  in  full  generality.  We 
want  to  prove  that  for  any  f  ■  A  —  B  with  .4  and  B  finite  sets  of  the  same  cardinality,  if  /  is  a 
surjection  then  /  is  also  an  injection.  We  express  this  statement  in  our  fragment  of  Set  Theory, 
using  our  (higher  order)  formalization  of  arithmetic.  The  following  is  an  outline  of  the  project. 
The  details  are  left  to  the  reader  as  an  exercise. 

i)  Formulate  the  Set  Theoretic  notions  of  map,  surjection,  injection  and  bijectioii.  and  use 
function  abstraction  and  application  to  define  function  composition.  For  instance: 

(decl  (f  g  h)  (type:  | ground-»ground I  ) ) 

(decl  map  (type:  | @f ®@a®@a-*truthval  I  )) 

(define  map  |Vg  a  b .map(g,a,b)s(Vxv.xv€aDg(xv)€b) I ) 

(label  mapdef) 

(decl  compmap  (type:  l(ag®@g-*@g|  )  (inf  ixname :  ®®) 

(bindingpower:  960)) 

(define  compmap  |Vf  g.f®®g=(Axv.f (g(xv))) I ) 

(label  compraapdef) 

The  fact  that  a  set  a  has  finite  cardinality  n  can  be  expressed  as 
Va  n.fincard(a,n)s3f .bijection(f ,segm(n) ,a) 

(where  segm(n)  denotes  N„). 

The  inverse  image  of  an  element  y  under  a  function  g  is 

VG  A  YV.INVIM(G,YV)=  AXV.G(XV)=YV 

ii)  -Apply  the  Pigeon  Hole  principle  to  maps  ly  :  N„  —  N„.  Formally,  prove  Oniomap  Injnxip 

VG  N.ONTOMAP(G,SEGM(N) ,SEGM(N))DINJMAP(G.SEGM(N) .SEGM(N)) 


A  way  to  do  this  is  to  define  a  recursive  functional  card  that  counts  the  intersection  of  a  set 
a  with  the  set  Nn: 

(define  card  |Va  n.card(a,0)=0A 

card(a,n’ )=if  a(n)  then  card(a,n)’  else  card(a,n) 1 
inductive .definition) 

riie  next  step  is  to  prove  the  analogues  for  card  of  the  properties  of  mult.  The  Pigeon  Hole 
principle  now  takes  the  form 
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VSETSEQ  N.DISJ0INT(SETSEQ,N)3 

( (VM . M<ND1<CARD (SETSEQ (M) , N) ) D 
(VM.M<N31=CARD(SETSEQ(M) .N))) 

Let  setseq(m)  be  invim(g,m):  by  the  properties  of  tlie  inverse  image  and  of  surjective  maps 
we  obtain 


VG  N.ONTOMAP(G,SEGH(N).SEGH(N))D 
(VM.M<ND1=CARD(INVIM(G,M) ,N)) 

An  argument  by  contradiction,  counting  cardinalities,  gives  Ontomup  Injmap. 

in)  Reduce  the  problem  for  arbitrary  finite  sets  to  the  problem  for  sets  of  numbers.  Namely, 
show  that  given  an  onto  function  g  :  A  B  and  suitable  bijections  Ja  :Nh  —  A.  /b  ■  B  —  N,). 
there  is  a  (finite)  onto  function  /  :  N„  N,,  such  that  the  diagram 


/a 


commutes.  /  is  an  onto  function  over  N„,  hence  Ontomap  Injmap  applies.  This  involves  some 
abstract  properties  of  maps  between  sets.  Conclude: 

VG  A  B  N.FINCARD(A,N)aFINCARD(B,N)aONTOMAP(G,A,B)DINJMAP(G,A,B) 


From  this  general  application  of  the  Pigeon  Hole  principle  one  can  derive  the  corresponding 
statements  using  various  representations  of  finite  functions.  In  the  representation  by  association 
lists  one  can  show 

1.  VALIST.PERMUTP(ALIST)3 

ONTOMAP ( AX. APPALIST(X,ALIST) ,MKLSET(DOM(ALIST)) .MKLSET(RANGE(ALIST))) 

2.  VALIST.PERMUTP(ALIST)DFINCARD(MKLSET(DOM(ALIST)) .LENGTH  (DOM(ALIST) ) ) 

3.  VALIST.PERMUTP(ALIST)D 

BIJECTION(AX.APPALIST(X,ALIST) ,MKLSET(DOM(ALIST)) ,MKLSET(DOM(ALIST))) 
and  derive  the  familiar  result  Permutp  Injectp 

VALIST . PERMUTP (ALIST) DIN JECTP (ALIST) 

by  using  1,2, .3  and  some  fact  about  appalist.  For  instance,  the  following  fact  may  be  u.seful: 

VALIST  N.UNIQUENESS(DOM(ALIST))aN<LENGTH  (DOM(ALIST) )D 

APPALIST(NTH(DOM(ALIST) .N) ,ALIST)=NTH (RANGE (ALIST) ,N) 


Clearly  the  above  alternative  route  to  prove  Permutp  Injectp  is  elegant  and  attractive,  since 
the  general  facts  may  be  applied  in  other  conte.xts. 
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iv)  In  the  same  vein,  one  could  want  to  do  the  entire  project  at  a  more  abstract  level.  Namely, 
one  can  use  EKL  to  check  that  bijections  over  any  (not  necessarily  finite)  set,  with  composition  of 
functions,  form  a  group.  Facts  about  composition  and  the  identity  functions  are  easy,  and  one  may 
use  the  Axiom  of  Choice  to  show  that  every  bijection  has  a  right  inverse,  and  some  categorical 
properties  of  mappings  of  sets  to  conclude  that  the  right  inverse  is  a  two  sided  inverse. 

The  Axiom  of  Choice,  i.e.  the  statement 

(VX.3Y.A(X,Y))3(3F.VX.A(X,F(X))) 

is  built  in  EKL:  whenever  we  have  obtained  the  line 
;(VX.3Y.A(X,Y)) 

we  can  ask  EKL  to  define  a  suitable  function  f  v 
(define  fv  |Vx.A(x,f (x)) I  *  ) 

In  the  case  of  finite  sets,  by  using  Hi)  one  can  restrict  oneself  to  prove  that  sur  jections  form 
a  group.  Also  the  corresponding  fact,  say,  for  the  representation  of  finite  functions  by  association 
lists,  can  be  obtained  by  proving  the  following  facts: 

(I)  If  /  is  a  bijection  over  a  finite  set  .4,  then  there  exists  an  association  list  alistj  that 
represents  /,  i.e.  such  that  for  all  elements  x  of  A, 

/(.r)  =  appalist(x,alisty). 

(II)  If  fi  and  /f.yare  functions  for  which  h  °  fi  is  defined,  and  alistl,  alist2  Represent  /i. 
fo,  respectively,  then  composition  of  functions  is  represented  by  ‘composition  of  as.sociation  lists, 
i.e. 

(/2  o /i  )(.r)  =  appalist(alistl  cd  alist2,x). 

This  approach  is  certainly  very  efficient  and  elegant.  Here,  however,  we  see  that  there  may  be 
a  price  to  be  paid  for  efficiency:  by  general  considerations  we  only  show  the  existence  oi  an  inverse 
function.  We  do  not  obtain  the  verification  that  a  particular  LISP  program  represents  the  inverse 
permutation.  In  logical  terms,  we  verify  that  our  LISP  structures  satisfy  the  axioms  of  groups  using 
the  axioms 

'ixyz.x  o[yoz)  =  [x  oy)o  z, 

3z.'ix3y.x  o  z  =  z  o  X  =  x  A  x  o  y  =  y  o  x  =  z, 
rather  than  the  universal  axioms 


^xyz.x  o{yoz)  =  (x  oy)o  z, 


Vx.x  0  e  =  e  0  x  =  X, 

Vx.x  0  x~^  —  a:— 1  o  x  —  e. 

If  the  purpose  of  the  project  is  mechanical  verification  of  correctness  of  programs,  the  verification 
of  a  given  program  representing  inversion  of  permutations  has  to  be  done  separatly. 

Despite  our  emphasis  on  the  use  of  abstract  mathematical  tools,  the  approach  to  verificat  ion 
of  properties  of  programs  that  has  Iteen  followed  in  this  paper  could  Ite  described  as  the  ap|)roach 
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‘from  below':  given  simple  LISP  programs  performing  some  mathematical  constructions,  prove 
•directly'  the  properties  of  programs  that  correspond  to  the  mathematical  facts  in  (piestion. 

The  efficiency  obtained  by  working  with  abstract  notions  suggests  a  different  api)roach  to  me¬ 
chanical  |)rogram  verification:  working  'from  above’,  we  may  formally  jirove  fads  with  a  maximum 
of  generally  and  abstraction;  only  at  the  end  we  apply  the  result  to  the  concrete  programs.  □ 

In  conclusion,  our  experiment  shows  that,  even  when  (i)  our  mathematical  objects  have  simple 
recursive  definitions,  (ii)  the  proofs  require  no  sophisticated  methods  and  (iii)  the  heuristics  itself 
appears  mechanizable  for  some  part  of  the  proofs,  it  is  still  convenient  to  organize  the  subject 
through  abstract  lemmata,  rather  than  to  use  direct  proofs  every  time. 

In  Proof  Theory  procedures  of  Normalization  play  an  essential  role.  Roughly  speaking,  when 
logical  constants  and  mathematical  entities  can  be  appropriately  defined  according  to  the  pattern 
Introduction  -  Elimination,  it  is  possible  to  define  a  normal  form  for  proofs  and  to  fiiul  procedures 
that  transform  every  proof  into  one  in  normal  form. 

In  such  procedures  a  sequence  of  inferences  that  first  establish  a  general  lemma  and  then  apply 
it  to  particular  conditions  is  considered  a  ‘detour’.  Such  sequence  must  be  simplified  in  favor  of  a 
longer  but  more  direct  proof.  From  the  point  of  view  of  Proof  Theory  it  is  essentinl  to  establish  the 
IKtssibilily  of  normolizalion.  Important  properties  of  mathematical  systems  can  be  established  by 
these  methods. 

However.  Normalization  does  not  seem  to  be  the  optimal  slraieejy  for  proof  ehechiny.  In  formal¬ 
izing  relatively  largo  areas  of  knowledge  it  seems  necessary  to  follow  the  opposite  stralegy.  namely 
to  search  for  suitable  abstract  Lemmata  applicable  to  different  situations. 

Using  Kreisel's  words: 

'The  particular  strategy  of  organizing  an  area  of  knowledge,  which  serves  us  here  as 
a  model,  is  the  style  of  Boiirbaki:  one  looks  for  a  few  definitions  and  key  theorems  that 
lead  to  easy  solutions  of  many  problems.  (No  one  proof  in  Bourbaki  is  long).' 

G.Kreisel  [1981] 
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8.1.  A  Summary  of  Natural  Deduction. 

The  aim  of  the  following  notes  is  to  remind  the  reader  of  the  basic  features  of  Gentzeii  s 
system  of  Natural  Deduction  not  only  because  of  its  historical  importance  in  the  design  of  EKL  and 
of  related  systems  (e.g.  FOL),  but  also  since  some  familiarity  with  Natural  Deduction  may  be  useful 
in  constructing  EKL  proofs.  The  reader  already  familiar  with  the  subject  may  want  to  skip  this 
section. 

A  Natural  Deduction  System  is  a  formal  system  that  allows  one  to  derive  a  formula  as  conse¬ 
quence  of  a  list  of  formulas,  the  assumptions,  and  to  eliminate  formulas  from  a  given  assumption 
list.  One  of  the  deduction  rule  in  a  Natural  Deduction  system,  given  a.  derivation  of  B  from  a  set 
of  assumptions  of  the  form  A,  allows  one  to  construct  a  derivation  of  A  D  B,  where  (some  of)  the 
assumptions  A  have  been  discharged  (see  the  D  -  Introduction  rule  below). 

By  contrast  a  Hilbert  style  axiomatic  system  allows  one  only  to  derive  logical  consequences  of 
certain  formulas,  regarded  as  axioms.  We  need  a  metatheorem  to  prove  that  in  certain  conditions 
if  B  is  provable  from  a  set  of  axioms  S  together  with  the  axiom  .4  then  there  is  a  proof  of  A  D  P 
from  S  only  {Deduction  Theorem). 

The  most  successful  system  of  Natural  Deduction  was  defined  by  Gentzeii  and  later  improved 
by  Prawitz  [1965,  1971].  In  the  Prawitz  formulation,  we  are  given  a  language  with  a  symbol  ± 
for  falsity  and  the  usual  connectives  and  quantifiers  A,  V,  D,  V  and  3.  Negation  is  defined;  -lA  is 
4  3J_.  Moreover  we  use  two  disjoint  sets  of  symbols  for  free  and  bound  vaiiables.  A  s\steni  of 
Natural  Deduction  is  specified  by  rules  of  inference  and  rules  of  deduction. 

A  derivation  is  a  finite  tree  of  formulas  (with  ‘leaves’  at  the  top),  where 

(i)  the  top  formulas  (‘leaves’)  are  the  assumptions, 

(ii)  the  bottom  formula  is  the  conclusion, 

(iii)  every  formula  not  at  the  top  is  derived  by  a  rule  of  inference  from  the  subderivation 
immediately  above  it  and 

(iv)  a  deduction  rule  associates  to  each  occurrence  of  a  formula  a  set  of  open  as.sumpt?ons.  i.c. 
the  set  of  assumptions,  which  the  formula  in  cpiestion  depends  on. 

Often  in  the  literature  the  deduction  rules  are  not  explicitely  specified,  but  the  reader  can 
easily  fill  in  the  details.  (Actually,  dealing  with  finite  trees,  an  effective  specification  is  always 
possible.)  A  useful  convention  is  to  divide  assumptions  of  the  same  form  into  a.s.sumption  cla.ss(  s. 
to  mark  with  the  same  label  an  assumption  class  and  the  inference  by  wliich  the  assumption  class 
is  discharged. 

A  rule  of  inference  has  the  form:  If  rii’--’’nn  derivations  of  C\....Ca<  lespectue ly.  tlu  n 

Hr  n„ 

Cl  ...  C„ 


C 
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is  a  derivation  of  C.  under  rertain  conditions  on  the  form  of  tlie  C'fs  and  n/s.  The  formulas  ( 
are  called  the  premises  and  C  the  conclusion  of  the  inference. 

Thus  the  set  of  rules  of  inference,  together  with  the  clause 

Every  formula  is  a  derivation  of  itself. 
gives  an  inductive  definition  of  derivations. 

The  reader  will  recognize  the  usual  rules  of  introduction  and  elimination  of  the  logical  con¬ 
nectives  and  quantifiers  in  the  figures  below.  More  specifically,  in  each  of  the  figures  below,  if 
the  symbol(s)  above  the  line  denote  derivation(s)  of  the  indicated  formula(s),  then  the  displavinl 
symbols  denote  a  derivation  of  the  formula  below  the  line. 


A-Introduction 

n,  n.. 

A  B 


A-Elimination 

n  n 

A  A  B  A  A  B 


A  A  B 


.4 


B 


D-Introduction 

[-4] 

n 

B 

A  D  B 


D-Elimination 


n,  m 

Ad  B  A 


B 


V-Introduction 


n  n 

A  B 


V-Elimination 

[^4]  [B] 

Ill  n>  Ha 

A  V  B  C  C 


.1  V  B 


A  V  B 


C 
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V-Introduction 


V-Elimination 


^x.A{x) 


where  no  open  assumption  of  Ho  contains  the  free  variable  a.  t  is  any  individual  term. 


3-Introduction 


3-Elimination 


3x,A{x) 


3x..4(.r ) 


where  the  free  variable  a  does  not  occur  in  C.  in  3.r./l(,r),  or  in  any  open  assumption  of  different 
from  ^  is  any  individual  term. 

In  any  elimination  rule  the  first  premise,  containing  the  symbol  to  be  'eliminated\  is  called 
the  major  premise.  The  other  premise! s)  (if  any)  are  called  minor  premise (s). 

The  following  rules  for  negation  are  needed  to  formalize  Intuitionistic  Logic  and  Classic  Logic. 


JL/  (Intuitionistic) 


Lc  (Classic) 


Under  most  rules  of  deduction  the  open  assumptions  associated  with  the  conclusion  of  an 
inference  are  the  union  of  the  sets  of  open  assumptions  associated  with  the  j>remises.  with  the 
following  exceptions: 

i)  in  D  -  Introduction,  the  assumption  class  [A]  is  discharged; 

ii)  in  V  -  Elimination,  the  assumption  classes  [.4]  of  Y[.,  and  [B]  ot  Yl:^  discharged: 

iii)  in  3  -  Elimination,  the  assumption  class  [4(a)]  of  f].,  is  discliarged: 

iv)  in  the  Classical  Rule  of  Negation,  the  assumption  class  [”».4]  is  discharged. 


154 


About  Permutations  in  Lisp  and  EKL 


Deduction  rules  can  be  specified  by  writing  the  set  of  open  assumptions  (followed  by  some 
symbol,  e.g.'h")  before  each  formula  occurrence  in  the  derivation.  Thus,  using  Greek  letters  for  sets 
of  assumptions,  we  can  write  the  rules  for  disjunction  as 

V-Introduction  V  Elimination 

n  n  ni  u,  n3 

r\-A  T\-  B  T\-A\/B  AiU{.4}hC  A.  U  {5}  h  C 

rh^lV5  Th  Ay  B 

Warning.  A  formulation  of  Natural  Deduction  along  these  lines  would  be  only  a  typographical 
variant  of  the  above  system  and  not  a  form  of  Calculus  of  Sequents,  a  related  but  conceptually 
different  logical  calculus. 

The  restrictions  on  free  variables  for  V-Introduction  and  3-Elimination  establish  a  relation 
between  free  variables  and  rules.  When  performing  transformations  on  proof  it  is  convenient  to 
have  a  different  free  variable  for  each  application  of  such  a  rule.  This  can  be  handled  by  introducing 
a  special  list  of  variables,  called  eigenvariables  or  parameters,  to  be  used  in  association  with  V- 
Iiitroduction  and  3-Elimination. 

One  can  prove  that  every  derivation  can  be  transformed  into  an  equivalent  one  in  which  the 
eigenvariable  associated  wuth  a  V-I  or  3-E  application  occurs  only  in  the  ancestors  of  the  conclusion 
of  such  rule.  (Lemma  on  parameters,  Prawtz  [1965],  p.  29). 

A  formal  system  that  distinguishes  between  variables  and  parameters  may  be  sometimes  cum¬ 
bersome,  although  the  main  idea  is  simple.  In  the  top  level  language  of  EKL  the  distinction  is  not 
ro([uired  (see  rules  about  dependencies  below). 

The  system  M,  containing  only  the  rules  for  A,  V,  D,  V  and  3,  formalizes  Minimal  Logic,  The 
system  I,  given  by  M  plus  the  Intuitionistic  Negation  Rule  X/,  is  (Heyting)  Intuitionistic  Logic, 
The  system  C,  given  by  M  plus  the  Classical  Negation  Rule,  is  full  Classical  Logic,  We  write  F  hy  .4 
(F  he  ^d)  to  indicate  that  .4  is  derivable  from  the  formulas  in  F  in  the  system  for  Intuitionistic 
(Classical)  Logic. 

Example  1. 


(3) 

“i(4  V  5) 

(1) 

A 

V-I 

Ay  B 
_ -)-F, 

(3) 

^{Ay  B) 

(2) 

B 

V-I 

Ay  B 

->-F, 

1 

1 

- 

(1) 

->4. 

- 

D-h  (2) 
-^B 

A-I 

F  U  Ai  U  A>  h  C 


A  A  ^B 
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(Here  ‘D-I\‘D-E‘  stand  for  ‘D-Introduction’,‘D-Elimina.tion’,  etc.  With  the  above  specification  of 
the  deduction  rules,  we  obtain  a  derivation  -i(.4  V  B)  H/  -i.4  A  ->5. 


Example  2. 

(1)  (2) 

“1-4  A 


_ D-E 

± 


-L; 

(3) 

B 

B 

(4) 

D-I,(2) 

D-I 

-1-4  V  B 

Ad  B 

Ad  B 

V-E,(l),(3) 

This  is  a  derivation  -lA  '•J  B  h [  A  D  B.  Notice  that  we  can  infer  A  D  B  from  B  even  if  the 
assumption  class  [.4]  is  empty — i.e.  .4  is  not  an  open  assumption,  which  B  depends  on. 

Example  3.a) 

(1) 

\/x.A{x,b) 

_ V-E 

A(a, b) 

_ 3-1 

3y.A(a,y) 

(2)  - V-I 

3y^x.A{x.y)  '^x3y.A{x,y) 

_ -  3-E,  (1) 

'^x3y.A{x,y) 

Here  we  assume  that  3yV.f.H(x,  y)  does  not  contain  a,  6. 

Example  3.b)  What  restrictions  must  C  satisfy  in  order  for  the  following  to  be  a  correct 
derivation? 

'^x.A{xJ)) 

(2)  ^ - V-E 

C  A{a,b) 

_ _  A-I 

C  A  A{a,  b) 

.  A-E 

A(a,b) 

3-1 

3y.A{a,y) 

(3)  - V-I 

3(/V.r.T(,T,j/)  ^x3y.A{x,y) 

_ _ 3-E,  (1) 

V.r3i/..4(,r,;t/) 
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Example  4.  (i)  The  rule  Lc  derivable  in  the  system  I  plus  the  axiom  A  V  ^A. 

(ii.)  V  -i.d.  Tt  is  easy  to  see  that  in  the  proof  we  must  assume  ~i(.4  V  --iT). 

It  will  not  be  difficult  to  convince  the  reader  that  the  derivation  in  Example  3(a)  is  ‘better* 
than  that  in  Example  3(b).  Not  only  Example  3(a)  is  shorter,  but  also  the  two  successive  steps  of 
Introduction  and  Elimination  of  A  in  Example  3(b)  do  not  give  us  any  interesting  information:  the 
formula  C  is  simply  irrelevant  for  the  derivability  of  the  conclusion  from  the  premises. 

This  simple  remark  can  be  extended  to  other  rules  and  gives  the  main  idea  of  Normalization 
Theorem,  one  of  the  most  interesting  result  of  Proof  Theory. 

The  occurrence  of  a  formula  in  a  derivation  is  called  maximal  if  it  is  at  the  same  time  the 
conclusion  of  an  Introduction  and  the  major  premise  of  an  Elimination  rule  (necessarily,  of  the 
same  logical  symbol).  A  maximal  formula  can  be  removed  by  a  reduction,  a  transformation  of  the 
given  derivation  that  consists  essentially  of  removing  the  two  steps.  Introduction  and  Elimination. 
Here  we  give  the  list  of  reductions. 

A'Rediiction 

Hi  n. 

.4i  .42 

_ _  A-I 

.4i  A  .4  ) 

_  A-E 

[-4,] 

n3 

where  i  =  1  or  2,  is  reduced  to 


n. 

[-4.] 

03 
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D-Reduction 

[^-l] 

n. 

B 

_ D-I 

.1  D  B 

m 

n, 

is  reduced  to 

n. 

[-1] 

n. 

[B] 

n., 

V-Reduction 

Oo  (1)  c-^) 

[^4,] 

- v.-i  n,  n> 

V  .4  -2  C  C 

_ V-E,  (1),  (2) 


whore  /  =  I  or  2.  is  reduced  to 


[^1 

n. 
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no 

[•4,1 


n, 

no 

The  foUowiiig  derivation  assume  that  ni(“)  satisfies  the  restriction  for  the  V-Introdiictioii  and 
contains  a  only  at  some  ancestors  of  A(«).  (One  can  show  that  any  derivation  can  he  transformed 
into  an  equivalent  derivation  satisfying  the  last  condition.)  Then 

V-Reduction 

ni(«) 

A(a) 

_ V-I 

yx.A(x) 

_ _ _ V-E 

[-4(0] 


n> 


is  reduced  to 


nno 

[A(0] 

n. 

where  ni(^)  the  result  of  replacing  everywhere  t  for  a  in  ni(^)* 
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The  following  derivations  assume  that  satisfies  the  restriction  for  tlie  3-Eliininai ion  and 

contains  a  only  at  some  descendants  of  A(a). 

3-Reduction 

Hr 

A(t) 

_ 3-1 

3x.A(x) 

Ha 


(1) 

[A{a)] 

C 

3-E.  (1 


is  reduced  to 


Hi 

[Mt)] 


n2«) 


[c] 


Ha 


where  112  result  of  replacing  everywhere  t  for  a  in 


Example  5.  The  following  derivation  formalizes  a  common  procedure:  first  ])rove  a  general 
lemma  (V.r.(.4(.T)  D  B{x)))  and  then  apply  it  to  particular  cases. 


(1) 

[A(a)] 

ni(«) . 

B(a) 

_ D-I,  (T) 

A(ri)  D  B{a) 

_ V-I 

Vx.(A(x)  D  B(x)) 

_ V-E 

A{t)  D  Bit) 


Bit) 


li: 

Ait) 

_ D-E 
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A  derivation  is  said  to  be  normal  if  it  does  not  contain  maximal  formulas. 

Normalization  Theorem.  Every  derivation  in  the  syst(mi  for  Intuitionistic  Logic  can  be 
transformed  into  one  in  normal  form. 

The  reader  may  liave  noticed  that  the  normal  derivations  in  Examples  1,  2  and  3(a)  are.  in 
some  sense,  'among  the  best  possible',  but  with  a  difference:  the  derivation  in  Example  1  is,  in  some 
sense,  'unique  ,  whereas  the  others  are  not.  Indeed  in  Example  2  we  could  permute  the  the  D-I 
applications  and  the  V-E  and  still  obtain  a  normal  derivation.  Similarly  in  Example  3(a)  we  could 
permute  the  V-I  and  the  3-E.  Of  course  these  remarks  could  be  made  precise,  but  our  exam|)les 
suggest  that  uniqueness  of  the  normal  form  may  fail  in  a  nontrivial  sense. 

Normal  derivations  have  a  very  interesting  structure.  Their  analysis  requires  some  technical 
notions.  Let  H  ^  derivation.  A  path  in  is  a  sequence  Ai,....An  of  formula  occurrences  in  [| 
such  that: 

1)  .4i  is  a  top  formula  that  is  not  discharged  by  V^Elimination  or  3-Elimination: 

2)  .4;j  is  either  the  endformula  of  or  the  minor  premise  of  an  D-Elimination:  .-L,  for  i  <  /?. 
is  not  the  minor  premise  of  D-Elimination; 

3)  for  i  <  n,  one  of  the  following  cases  applies: 

(i)  .4/  is  a  premise  of  an  Introduction,  of  a  Negation  rule,  of  a  A-Elimination.  V-elimination, 
or  the  major  premise  of  D-Elimination,  and  is  the  conclusion  of  that  inference; 

(ii)  Ai  is  a  minor  premise  of  an  V-Elimination  or  of  an  3-Elimination  and  is  tlie  conclusion 
of  that  inference; 

(iii)  4,  is  the  major  premises  of  an  V-Elimination  of  of  an  3-Elimination  and  4,>|  is  an 
assumption  discharged  by  that  inference. 

Example  6.  In  the  derivation  of  Example  1 

—  (.4,  4V  B)  is  a.  path,  (i.e.  the  formula  occurrence  labeled  ( 1 )  and  the  one  immediately  below 
it); 

—  (-<(4  V  5),  J_,  ~i4, -^4  A  is  a  path  (starting  with  the  leftmost  occurrence  of  “i(.4  V  B) 
labeled  (3)  ). 

In  the  derivation  of  Example  2 

—  the  occurrence  of  4  labeled  (2)  is  a  path; 

—  (“■(  4  V  5),  -i4,  ±,  B,  A  D  5, 4  D  B)  is  a  path  (starting  with  the  formula  occurrence  labeled 
(4)  and  continuing  with  the  one  labeled  ( I)  ). 

In  a  path  there  may  be  consecutive  occurrences  of  the  same  formula,  e.g,  the  minor  premise 

and  the  conclusion  of  an  3-Elimina.tion.  .A  segment  a  in  a  path  of  f]  is  a  sequence  (4i . 4 4.)  of 

occurrences  of  (the  same)  formula,  such  (hat  either  i  =  k  or.  if  k  >  1,  the  following  conditions  are 
satisfied: 

i)  lor  I  =  2,...,  A*.  Ai  is  the  consequence  of  an  V-Elimination  or  of  3-Elimination,  and  .4i  is  not 
such  a  consequence: 

ii)  for  /  =  1 . k—  i,  4/  is  the  minor  premise  of  an  V-Elimination  or  of  an  3- Elimination  and 

4/,.  is  not  such  a  premise. 
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Example  7.  Every  formula  occurrence  in  Example  1  is  a  segment.  In  Example  2.  the  se(|iience 
(.4  D  B,AD  D)  consisting  of  a  minor  premise  and  the  conclusion  of  the  final  V-Elimination  is  a 
segment;  the  seciuence  (.4  D  fl)  containing  the  enclformula  of  Example  2  is  not  a  segment. 

With  this  terminology,  one  can  prove  the  following  theorem,  giving  a  complete  characieri/ation 
of  normal  deductions  in  Intuitionistic  Logic  (see  Pravvitz  [1965].  pag.  54); 

Theorem.  Let  []  «  normal  deduction  in  the  Natural  Deduction  sxjstem  for  Intuilionistir 

Logic,  let  tt  be  a  path  in  []•  '"ul  let  ai . be  the  sequence  of  segments  in  x.  Then  there  /s  n 

segment  c,-,  called  the  minimum  segment  in  n,  which  separates  two  (possibly  empty)  parts  of  r. 
called  the  E-part  ond  I-part  of  tt.  ivith  the  properties: 

1)  For  each  cTj  in  the  E-part  (i.e.  j  <  i),  the  last  formula  occurrence  in  a,  is  a  major  premi.^ie 
of  an  E-rule  and  the  fejrmula  in  Cj+i  is  a  subfonmda  of  the  formula  in  etj. 

2)  If  i  ^  n.  the  formula  in  ai  is  a  pxemise  ejf  an  [-rule  or  of  the  ±/  Negation  rxdc. 

S)  For  each  a^  in  the  I-part  (i.e.  i  <  k  <  n).  the  last  formxda  occvrrexice  in  is  a  px-emise  of 
an  I-x'ule  and  the  formula  in  a^  is  a  subfox'mxda  of  the  formula  in  l7^■4.l. 

As  a  corollary  of  this  analysis,  one  proves 

Subformula  Property.  Every  formula,  occurring  in  a  normal  derivation  of  .4  from  E  in  the 
system  of  Natural  Deduction  for  Intuitionistic  Logic  is  a  subformula  either  of  .4  or  of  a  formula  in 

f. 


The  above  result  is  fundamental  in  Proof  Theory.  For  our  purpose  it  is  essential  to  notice  that 
if  T  H/  .4.  then,  in  the  search  for  a  normal  derivation  we  need  to  consider  only  subfornndas  of  .4 
and  of  the  formulas  in  F,"  moreox'cr  the  abox'e  Theoiem  gives  directierns  to  build  such  a  prooj.  A 
normal  deduction  is  in  practice  the  best  choice  for  a  short  proof.  We  may  find  it  convenient  to 
break  a  long  derivation  into  lemmata  either  for  the  sake  of  readability  or  in  order  to  highlighi  some 
important  step  in  the  argument. 

By  contrast.  Example  4  (ii)  shows  that  the  Subformula  Property  fails  for  full  Classical  Logic. 
Indeed  we  do  not  have  a  Normalization  for  full  Classical  Logic.  In  order  to  overcome  the  difficulty. 
Gentzen  introduced  the  Calculus  of  Sequents  and  Prawitz  [1965.1971]  proves  Normalization  lor  the 
formulation  of  Classical  Logic  without  V  and  3.  How^ever  we  will  use  the  full  system  for  Classical 
Logic,  and  not  the  Calculus  of  Sequents,  so  these  results,  despite  their  theoretical  relevance,  are 
beyond  our  immediate  concern.  For  practical  purpose,  the  reader  may  have  noticed  that  when  an 
arejximent  by  contradiction  is  needed,  there  may  be  elifferent  waxjs  to  obtain  one.  .4  ejood  choice  of 
the  formxila  to  be  contradicted  is  an  essential  .step  to  obtain  a  readable  prejof  and  is  nejt  gin  n  by  a 
mechanic  procedure. 

Remark.  Proofs  by  induction  do  not  fit  well  in  the  pattern  Introduction-Elimination  of 
Natural  Deduction;  one  may  define  what  it  means  for  the  conclusion  of  an  Induction  Rule  to  be 
maximal  and  prove  a  Normalization  I'heorem  for  for  first  order  the  Natural  Deduction  system  of 
Peano  .4.rithmetic.  (see  Troelstra  [1973]).  The  significance  of  the  result,  however,  is  reduced  by  the 
fact  that  in  such  system  the  Subformula  Property  does  not  hold.  For  higher  order  logic  Prawitz 
proved  Normalization  Theorem  (Prawitz  [196S]).  Again,  the  Subformula  Property  does  not  hold. 
In  practice,  if  we  apply  some  axiom  of  induction  (or  of  a  corresponding  rule)  in  the  context  ol 
higher  order  logic  and  rectirsive  lunctionals  ol  higher  types,  the  simple  form  of  normal  dedmtions 
given  by  the  Normalization  Theorem  lor  first  order  logic  is  necessarily  lost. 

.-\s  we  shall  see.  we  would  like  to  let  the  computer  do  the  logical  steps  ol  our  proofs,  lo  a 
certain  extent,  we  sucerv'ded  in  I'eplacing  logical  steps  by  rewriting.  However,  a  certain  familiarity 
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with  Natural  Deduction  is  important  for  the  user  of  EKL.  It  suggests  a  safe  procedure,  though  a 
lengthy  one,  to  expand  proofs.  It  may  help  us  to  understand  what  additional  information  is  needed 
for  the  rewriting  process  to  succeed. 


8.2.  Organization  of  the  Files. 

In  practice,  proofs  are  printed  in  electronically  created  files,  that  can  be  I’eached  either  directly 
by  the  user  or  automatically  by  EKL  through  the  command 

(get-proofs  proofname) . 

Our  proofs  are  distributed  in  the  files  described  below. 

NORMAL  contains  rewriters  to  normalize  formulas, 

NATNUM  gives  basic  facts  of  arithmetic,  i.e.  addition,  multiplication  and  ordering. 

MINUS  introduces  more  elementary  arithmetic,  including  subtraction. 

LISPAX  contains  the  axioms  of  LISP. 

ALLP  allows  to  use  the  recursive  predicate  allp  to  replace  bound  quantifiers. 

SET  contains  some  notions  of  set  theory. 

LENGTH  contains  the  definition  of  length  and  facts  about  it. 

NTH  contains  the  definitions  of  nth,  nthcdr,  fstposition  and  facts  about  them. 

APPL  contains  the  main  definitions  of  application  and  permutation,  in  the  two  different  repre¬ 
sentations,  (I)  using  association  lists,  and  (II)  using  lists  of  numbers 

SUMS  contains  the  notions  of  finite  union,  finite  sums  and  bound  quantifiers  allnum  and 
somenum. 

MULT  contains  the"9fefinition  of  of  the  function  multiplicity.  * 

PIGEON  presents  the  proof  of  the  pigeon-hole  principle. 

ALPIG  contains  the  application  of  the  pigeon  hole  to  functions  represented  by  association  lists. 

ALPIG  contains  an  application  of  the  pigeon  hole  to  functions  represented  by  lists  of  numbers. 

ASSOC  contains  the  definition  of  the  operations  of  composition,  identity  and  inversion  of  func¬ 
tions,  represented  as  association  lists  (representation  (I))  and  proofs  of  all  tlie  facts  about  permu¬ 
tations. 

PERMP  contains  the  definitions  of  the  operation  of  composition,  identity  and  inversion  of  func¬ 
tions,  using  predicates  in  representation  (II)  and  all  the  facts  about  permutations. 

PERMF  contains  the  definitions  of  composition,  identity  and  inversion  of  functions,  using  June- 
Hons  in  representation  (II)  and  the  corresponding  proofs. 

The  dependency  of  the  files  is  as  follows 
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The  reason  for  this  organization  of  the  files  is  to  save  memory  when  running  the  proofs.  For 
the  same  reason  vve  state  our  theorems  as  axioms,  we  ’’save”  them  for  ’‘quick-reference"  to  EKL  and 
then  we  prove  them. 

One  should  not  consider  these  details  as  merely  ‘administrative  matter’.  Quick  access  to  stored 
information  is  very  important  in  practice  and  the  amount  of  memory  involved  even  in  easy  proofs 
is  considerable.  Moreover,  just  as  humans  do  not  look  at  all  the  details  when  reading  a  proof  (but 
are  supposedly  able  to  reconstruct  them,  if  asked),  so  a  computer  program  checking  a  proof  should 
remember  the  relevant  facts,  not  necessarily  their  proofs. 

In  the  text  most  of  the  results  are  given  with  their  proofs.  Some  facts  of  preliminary  cliaracter 
are  only  quoted;  their  proofs  can  be  found  in  this  Appendix. 

8.3.  file  NORMAL. 


;proposit ional  schemata,  used  by  the  rewriter  to  normalize  expressions 
(wipe-out) 

(prool  normal) 

1.  (axiom  iVp  q  r . ( (pVq) Ar)=( (pAr)v(qAr) ) I ) 

(label  normal) 

2.  (axiom  iVp  q  r . (rA(pVq) )=( (rAp) v(rAq) ) | ) 

(label  normal) 
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3.  (axiom  1 Vp  q  r . (rA(pVq) )s( (pAr) v(qAr) ) } ) 

(label  normal) 

4.  (axiom  jVp  q  r . (pVq3r)=(pDr) A(qDr) I ) 

(label  normal) 

5.  (axiom  |Vp  q.  (-i(pVq))  =  ((-ip)A(-iq))  | ) 

(label  demorgan) 

6.  (axiom  jVp  q  .-i(pAq)=-ipV-iq  |  ) 

(label  demorganl) 

;It  would  cause  combinatorial  explosion, to  add  these  to  simpinfo,  or  to  put  everything, 
;say,in  conjunctive  normal  lorm.  So  we  call  them  as  rewriters  when  needed. 

;a  iew  tricks 

7.  (axiom  I  Vp  q  .ps(q3p)  A(-iq3p)  |  ) 

(label  excluded.middle) 

8.  (derive  |Vp  q  r.(q3r)A(ii  p  then  q  else  r)3r|) 

(label  trans_cond) 

(save-prools  normal) 


8.4.  file  NATNUM. 


We  rolled  here  t  he  most  elementary  facts  of  arithmetic,  omitting  their  proofs.  Our  purpo.se  is 
to  have  a  collection  of  facts  useful  in  various  contexts,  rather  than  to  give  a  systematic  treatim'iil 
of  elementary  arithmetic  from  Peano  Axioms.  Our  basic  inductive  principles  include  Second  Order 
Induction  Axiom  and  definition  of  primitive  recursive  functions  and  functionals  of  higher  Iy|)e. 

;basic  tacts  about  arithmetic  and  prools  by  Beilin 

(proot  natnum) 

1.  (decl  lessp  (type:  j ground«ground-»truthval ! )  (syntype:  constant) 

(intixncune:  <)  (bindingpower :  920)) 

2.  (decl  addl  (type:  |ground-*groundl )  (syntype:  constant)  (postlixname :  IM) 

(bindingpower:  975)) 

3.  (decl  plus  (intixname:  j  +  l)  (type:  lground#ground«ground*-*ground I ) 

(syntype:  constant)  (associativity:  both)  (bindingpower:  930)) 

4.  (decl  times  (type:  I ground«ground«ground*-*ground | )  (syntype:  constant) 

(intixname:  !♦!)  (associativity:  both)  (bindingpower:  935)) 

5.  (decl  (i  j  k  n  m)  (sort:  natnum)  (type:  ground)) 

6.  (decl  (a  b  c  set)  (type:  lground“*truthval I ) ) 

;needed  axioms  on  order 

7.  (axiom  |Vn.->n<n|) 

(label  irret lexivity„ol_order) 

8.  (axiom  |Vn  m  k .n<mAm<k3n<k I ) 

(label  transitivity_ot_order) 

9.  (axiom  lVn.nn<0j) 

(label  zeroleastl) 


{successor  and  order 
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10. 

11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 

19. 


20. 


21. 


22. 


23. 


24. 


25. 


26. 

27. 

28. 


29. 


(axiom  iVn.natnumCnO  I ) 

(label  simpinto) 

(axiom  |Vn.n<nM) 

(label  successorl)  (label  succlacts) 

(axiom  IVn  m.-in<mOm<nM  ) 

(label  successor2)  (label  succlacts) 

(axiom  IVn  m.n’ <m’sn<ml) 

(label  successorless) (label  succlacts) 

(axiom  iVn  m.  (n’=mO  =  (n=m)  I  ) 

(label  successoreq)  (label  succlacts) 

(axiom  |Vn.-in=000<nl ) 

(label  zeroleast2)  (label  succlacts) 

(axiom  |Vn.0<nM) 

(label  zeroleastS) (label  succlacts) 

(axiom  I  Vn.-i(n’=0)  I  ) 

(label  zero_not_successor) (label  succlacts) 

;delinition  ol  predecessor 

(decl  pred  (type;  |ground-*ground| )  (syntype:  constant)) 

(delax  pred  lVn.pred(n’)=nl ) 

(label  pred_del) (label  simpinlo) 

(axiom  IVn.natnum  pred  n|) 

(label  simpinlo) 

; addition 

(delax  plus  |Vn  k  .0+n=nA)c’+n=(k+n)  M  ) 

(label  plusdel) (label  simpinlo) (label  pluslacts) 

(axiom  | Vn  m.natnum(n+m) I ) 

(label  simpinlo) 

(axiom  |Vn.n+0=n|) 

(label  simpinlo)  (label  pluslacts) 

(axiom  |Vn. l+n=n' An+l=n’ 1 ) 

(label  simpinlo)  (label  pluslacts)  (label  plusdell) 

(axiom  iVn  k .n+k’=(n+k) M ) 

(label  simpinlo)  (label  pluslacts) 

(axiom  iVn  k  m. (k+m=k+n)=(m=n) I ) 

(label  Ipluscan)  (label  pluslacts) 

(axiom  iVn  k  m. (m+k=n+k)=(m=n) I ) 

(label  rpluscan)  (label  pluslacts) 

(axiom  (Vn  k.n+k=0=n=0Ak=0 I ) 

(label  addtozero)  (label  pluslacts) 

;the  ellect  ol  the  lollowing  axiom  is  to  lorce  sums  in  basically  normal 
;lorm:  the  "simpler"  terms  will  come  lirst 

(axiom  |Vk  n.k+n=n+kl) 

(label  commut add)  (label  pluslacts) 


;multiplication 
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30.  (delax  times  |Vn  k . 0*n=0An* *k=(n*]c)+k  1 ) 

(label  timesdel) (label  simpinio)  (label  timeslacts) 

31.  (axiom  I Vn  m.natnum(m*n) I) 

(label  simpinlo) 

32.  (axiom  I Vn.n*0=0Al*n=nAn*l=n I ) 

(label  simpinto)  (label  timeslacts) 

33.  (axiom  |Vn  k.n*k^=n*k+n I ) 

(label  timsucc)  (label  timeslacts) 

34.  (axiom  |Vn  k  m.-ik=0D( (k*m=k*n)s(m=n))  I ) 

(label  Itimescan)  (label  timeslacts) 

35.  (axiom  iVn  k  m. *ik=0D((m*k=n*k)  =  (m=ii))  I) 

(label  rtimescan)  (label  timeslacts) 

36.  (axiom  |Vn  m.n*m=m*n| ) 

(label  commutmult)  (label  timeslacts) 

37.  (axiom  |Vn  k.-in=0Dii*k=0H)c=:0 1) 

(label  Itimestozero)  (label  timeslacts) 

38.  (axiom  I Vn  k.nn=03k*n=05k=0 1 ) 

(label  rtimestozero)  (label  timeslacts) 

;distributivity 

39.  (axiom  |Vn  k  m.n*(k+m)=n*k+n*ml ) 

(label  Idistrib)  (label  timeslacts)  (label  pluslacts) 

40.  (axiom  |Vn  m  k.  (m-»-k)*n=m*n+k*n i  ) 

(label  rdistrib)  (label  timeslacts)  (label  pluslacts) 

; inductive  principles 
(prool  induction) 

1.  (axiom  |Va.a(0) A(Vn.a(n)Da(nO)3(Vn.a(n) )  I ) 

(label  prool^by^induction) 

2.  (decl  npars  (type:  |gro\md»|)) 

3.  (decl  ndl  (type:  I ground^ground*-*ground*  I ) ) 

4.  (decl  zcase  (type:  Ig round* -♦ground I )) 

(axiom 

iVndl  zcase  ndel . 

Olun. (Vnpars  n.lun(0 , npars )=zcase (npars) A 

lun(n^ , npars)=ndel(n,lun(n, ndl (n, npars)) , npars))) |) 
(label  inductive.delinition) 

;the  lollowing  is  a  lorm  ol  double  induction 

5.  (axiom  iVa2 .  (Vn  m.a2(0,n)Aa2(n,0)A(a2(n,m)3a2(n’ »nO))3Vn  m.a2(n,m)  I ) 
(label  prool_by_doubl€induction) 

;general  delinitional  principle  lor  inductive  lunctions 

6.  (decl  (arb  arbl  arb2)  (type:  1 Tarbitrary I )) 

7.  (decl  indln  (type:  |ground#«arb-^earbl )) 

8.  (decl  (del_lun)  (type:  | ground-*earbl ) ) 

;this  is  the  primitive  recursive  schema  lor  delinition  on  ALL 
ihigher  type  lunctionals: 

;note  the  use  ol  the  variable  type  in  declarations; 
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;in  this  way  we  can  specialize  to  ANY  type. 

9.  (axiom 

1 Vindln  arb .3det _lun. Vn.dei_iun(0)=arbA 

del_lun(nO=indfn(n,dei _fun(n) )  I ) 
(label  high_order_natnum_delinition) 

;well“ioundedness 

10.  (axiom  h3desc . Vn.desc(nO<desc(n)  I ) 

(label  inlinite^descent) 

(save-proofs  natnum) 


8.4.1.  More  Arithmetic. 


;proofs  of  facts  of  arithmetic 
(wipe-out) 

(get-proofs  normal) 

(get-proofs  natnum) 

(label  simpinfo  zero_not_successor)  ;add  these  to  simpinfo  for  now 
(label  simpinfo  zeroleastl) 

(label  simpinfo  successorless) 

(label  simpinfo  successoreq) 

(label  simpinfo  zeroleastS) 

(proof  lesseq) 

;an  easy  consequence  of  the  axioms  in  natnum 

1.  (ue  (a  |An.nn=nM)  proof _by_induct ion) 

(label  simpinfo) (label  successorfacts)  ■ 

2.  (decl  lesseq  (type:  1  ground^ground-*truthval |  ) (inf  ixname :  |<l) 
(bindingpower :  920)) 

3.  (define  lesseq  iVm  n.(m  <  n)=(m=nVm<n) ( ) 

(label  lesseqdef) 

;successorlesseq 

4.  (trw  IVn  m.n'<m^=n<m|  (open  lesseq)  ) 

(label  successorlesseq)  (label  successorfacts)  (label  simpinfo)  ■ 

;trans_lesseq 

5.  (trw  IVn  m  k .n<mAm<k3n<)c  |  (open  lesseq)  (use  normal  mode:  always) 

transitivity_of_order) 

;VN  H  K. N<MAM<K3M<K 
(label  trans.lesseq)  ■ 

; less _lesseq_f act 1 

6.  (trw  IVn  m  k .n<mAm<k3n<k 1  (open  lesseq)  (use  normal  mode:  always) 

transitivity_of .order) 

;VN  M  K. N<MAM<K3N<K 

(label  less.lesseq.f actl)  ■ 

;zeroleast 

7.  (ue  (a  lAn,0<nl)  proof _by_induction  (part  1  (open  lesseq))) 

;VN.0<N 
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(label  zeroleast)  ■ 

;oneleastsucc 

8.  (trH  |0^<n’l  zeroleast) 

;0'<N’ 

9.  (rw  *  (nuse  successorlesseq)) 

;1<N' 

(label  oneleastsucc)  S 
;zero  non  less  successor 

10.  (trw  |m=0An^<m|) 

;'i(M=0AN^<H) 

11.  (derive  IVn  m.n^<m3-un=0 1  *  ) 

(label  simpinto) (label  zero_non_less_successor)  ■ 

;a  couple  oi  very  trivial  tacts 
;succ_less_less 

12.  (trw  iVm  n.m^<nOm<n|  transitivity.ot^order  successorl) 

(label  succ^less^less)  ■ 

;succ_lesseq_lesseq 

13.  (derive  |M'=N0H<N|  successorl) 

14.  (trw  IVm  n.m^<n3in<n|  (open  lesseq) 

succ_less_less  *  (use  normal  mode:  always)) 

;VM  N.M^<KDM<N 

(label  succ_lesseq_lesseq)  ■ 

;lesseq  lesseq  succ 

15.  (trw  |Vn  m.n<m3n<mM  (open  lesseq)  (use  normal  mode:  always) 

(successorl  transitivity_ot, order)) 

(label  lesseq_lesseq_succ)  ■ 

;"m  less  succ  ot  n"  implies  "m  lesseq  n" 

16.  (ue  (a  I An.n<0^ =n<0 1 )  prool _by_induction 

(part  1  (open  lesseq))) 

;VN.N<1sN<0 

17.  (ue  (a2  I  An  m.m<n’=m<n!)  proot_by_doubleinduction  *  zeroleast) 
;VN  M.M<N»sM<N 

(label  less_succ_lesseq)  ■ 

;"n  less  than  m"  implies  ’’succ  of  n  lesseq  m” 

18.  (ue  (a  1  An, 0<n=0’<n| )  proof _by_induction 

zeroleast  (part  1#1  (open  lesseq))) 

;VN.0<N=1<N 

19.  (ue  (a2  j An  m.n<m=n’<m|)  proof _by_doubleinduction 

*  (part  1#1#2  (open  lesseq))) 

;VN  M.N<M=N’<M 

(label  less_lesseqsucc)  ■ 

;"n  lesseq  m"  and  ”m  lesseq  n”  implies  "n  equal  m" 

20.  (ue  (a2  i An  m.n<mAm<nDn=ml )  proof _by_doubleinduction 

(part  1  (open  lesseq)  (use  normal  mode:  always))  ) 

;VN  M.N<MaM<NDN=M 
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(label  leq_leq_eq)  ■ 

; trichotomy 

21.  (rw  zeroleast  (open  lesseq)) 

22.  (ue  (a2  | An  m.m<nVm=nVn<ml )  prool_by_doubleinduct ion 

(use  normal  mode:  always)  ★  ) 

;VN  M.M<NVM=NVN<M 
(label  trichotomy)  ■ 


8.4.2.  Subtraction. 


; minus 

(prool  minus) 

1.  (decl  minus  (type:  |ground®ground“»ground I  ) (iniixname :  !-|) 
(bindingpower :  940)) 

2.  (define  minus  | Vm  n.m-0=mAm-(nO=pred(m-n)  !  inductive_delinition) 
(label  minusdef) 

; minus  sort 

;the  following  proof  works  because  pred  is  a  total  function 

3.  (ue  (a  I An.Vk.natnum(k-n) I)  proof _by_induction 

(part  1  (open  minus))) 

;VN  K.NATNUM(K-N) 

(label  simpinfo)  (label  minus_sort)  ■ 

;minusfact3 

4.  (ue  (a  |An.n<mOpred(m'“n)=m-n  I  )  proof  _by_induction 

(part  1  (open  minus  pred))  succ_less_less) 

; VN  . N<MOPRED(M’  “N)=M-N 

5.  (ue  (a2  I  An  m.n<m30<m-n ! )  proof ^by^doubleinduction  (open  minus) 

(use  ♦  mode:  always)  succ_less_less) 

;VN  M.N<M00<M-N 

(label  minusfact3)  ■ 

;minusf acts 

6.  (ue  (a  |An.0<n3pred(n) ’=n|)  proof .by.induction) 

;VN,0<NDPRED(N) ’=N 

(label  minusfactS)  ■ 

; successor  minus 

7.  (ue  (a  I  An.n<mOm*-n=(m-n)  M)  proof  ^by^induction 

(use  -2  -3  successorl  succ.less^less  mode:  exact) 

(use  ♦  ue:  ((n.lm-nl))  )  (part  1  (open  minus  pred))) 
;VN.N<MOM’-N=(M-N)^ 

8.  (derive  |Vn  m.n<mDro’ -n=(m“n) M  (♦  less_succ^lesseq) ) 

(label  successor^minus)  ■ 

;pred_cancellation 

9.  (trw  |Vn  m.n<m3pred(m'-n)=m-n I  successor.minus) 

;VN  M.N<M0PRED(M’-N)=H-N 

(label  pred_cancellation)  (label  minusfact?)  ■ 
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;minuslactlO 

10.  (trw  |Vn  m.n<m3(m-nO ’=ni-nl  (use  minustactS  ue:  ((n.|m-n|))  ) 

minuslactS  (open  minus)) 

;VN  M.N<M3(M"NO'=M-N 
(label  minuslactlO)  ■ 

;minusiactll 

11.  (rw  successor.minus  (open  lesseq)  (use  normal  mode:  always)) 

12.  (derive  iVn  m.n<in3m’-'n=(m-n)  M  *  ) 

13.  (ue  (a  I An.0<n3pred(n)<nl)  prool_by_induction  successorl) 
;VN.0<N3PRED(N)<N 

14.  (ue  (a2  I  An  m.m<n3n-(mO<n|  )  proof  _by_doubleinduction 

(part  1  (use  *  -2  minusdel  mode:  always)) 

(transitivity^of^order  successorl)) 

;VN  M.H<NDH-M’<M 

(label  minuslactll)  ■ 

;n  less  n 

15.  (rw  successor.minus  (open  lesseq) (use  normal  mode:  always)) 

16.  (derive  jVn  m.n=mDm'-n=(m-n) M  *  ) 

17.  (ue  (a  !An.n-n=0l)  proof _by ..induction 

(part  1  (use  *  mode:  always) (open  minus))) 

;VK.N-N=0 

(label  simpinfo)  (label  n_less_n)  ■ 

; minus 1 

18.  (ue  ((n.n) (m. |nj))  successor_minus  (open  lesseq)) 

19.  (ue  (a  I An.0<n3n-(pred  n)=ll)  proof _by_induction  (open  pred)  * 

(use  successor .minus  n.less.n  mode:  exact)) 

(label  minus 1)  ■ 

;total  subtraction 

20.  (ue  (a  1 An.m<nDm-n=0 I )  proof. by. induct ion  (open  minus  lesseq) 

(use  less.succ.lesseq  mode:  exact)  (use  normal  mode:  always)) 
;VN.M<N3M-N=0 

21.  (trw  |Vn  m.m<n3m-n=0|  (open  lesseq) 

(use  normal  mode:  always)  ♦  n.less.n) 

;VN  M.M<H3M-II=0 

(label  total.subtraction)  ■ 

; inequality  law 

22.  (derive  |Vk  n,k<nOn’~k=(n-k)M  (successor.minus  less.succ. lesseq)) 

23.  (ue  (a2  |An  m.n<m30<m-*nl )  proof  _by .doubleinduction  (open  minus) 

(use  *  mode:  always) (use  succ.less.less)) 

;VK  M.M<M30<M-N 

24.  (ue  (a2  I  An  m.k<nAm<n”ksm+k<nl )  proof .by .doubleinduction 

(use  *  ~2  mode:  always)) 

;(VK  M.K<KAM<N-'KsM+K<NOK<N’AH<N-K=M+K<N)D(VN  M . K<NAH<N-KsM+K<N) 

25.  (rw  *  (use  less.succ. lesseq  mode:  exact) 

(open  lesseq) (use  normal  mode:  always)) 
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;VN  M.K<MAH<K-K5M+K<H 
(label  inequality_law)  ■ 

The  following  two  facts  are  needed  in  the  induction  step  of  the  proof  of  tlie  pigeon-hole  principle. 
Lemma.  (Add  Lesseq) 


VN  K  M.N<MAl<K3N’<M+K 


The  lower  bound  of  a  sum  is  the  sum  of  the  lower  bounds.  We  use  by  double  induction. 

Proof. 

;add_ lesseq 

1.  (trw  |Vn,0’<nM  (use  zeroleast)) 

2.  (rw  ♦  (nuse  successorlesseq)) 

;VN.1<N' 

The  following  line  gives  one  base  case,  by  a  subordinate  induction;  the  preceding  line,  with  an 
automatic  substitution  of  n  +  fc  for  n,  proves  the  induction  step  for  it. 

3.  (ue  (a  Un.0<nAl<k31<n+kl)  prool.by.induction  *  ) 

;VN.0<NA1<K31<N+K 

The  other  base  case  reduces  to  a  tautology,  using  the  ne.xt  line. 

4.  (trw  |Vn.n<03n=0l  (open  lesseq)) 

;VN.N<0DN=0 

The  induction  step  follows  automatically  from  the  line  Sxiccessorlesse(f  {^vooi  minus)  which  is 
in  “simpinfo”. 

5.  (ue  (a2  lAn  m.n<mAl<k3n^ <m+k I )  proof .by_doubleinduction 

-2  (use  *  mode:  always)) 

;VN  M.N<MA1<K3N’<H+K 
(label  add_lesseq)  ■ 


Lemma.  {Add  One) 


VK  N  M.1<KaN’=M+KaN<MD1=KaN=M 


If  the  sum  of  two  variables  equals  the  sum  of  the  lower  bounds,  then  the  values  ol  the  variables 

must  be  their  lower  bounds.  i  i  i  t 

Proof.  Again  we  use  double  induction.  One  base  case  (i.e.  n  =  0)  is  also  proved  by  double 

induction. 


;add_one 

1.  (ue  (a2  |Am  k. 0’<kAO’=ia+k31=kA0=in| )  prool_by_doubleinduction 
(part  1  (open  lesseq) (use  normal  mode;  always))) 

;VN  M.1<MA1=N+M31=Ma0=N 

Here  the  other  base  case  (k  =  0)  and  the  induction  step  are  trivial,  since  the  mitecedeiit 
becomes  false.  In  the  other  base  case,  when  m  =  0,  we  first  rewrite  1  <  k  as  1  <  A;  V  1  -  k:  i.e.  we 
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“•open'*  the  symbol  lessee/  hnd  then  normalize.  We  obtain  either  a  contradiction  in  the  antemlent 
( 1  <  /r  A  1  =  k)  or  the  desired  result. 

The  next  line  is  now  easy:  tlie  base  case  n  =  0  is  the  last  line.  In  the  other  base  case  ni  =  0.  we 
get  -  0  after  opening  <  (since  ??  <  0  is  impossible)  and  therefore  also  I  -0  +  k.  The  induction 
step  follows  from  the  lines  Successorlesserj.  (proof  A//A'f'5)  and  Successoreq  and  Plusfacts  (proof 
P^ATNl'M)  that  are  in  simpinfo. 

2.  (ue  (a2  1  An  m.  l<kAii’=m+kAn<rDDl=)cAn=m I  )  proof  _by_doubleinduction 
(part  1#1#2  (open  lesseq)) 

(part  1#1#1  (use  ♦))) 

;VN  M.1<KAN^=M+KAN<MD1=KAN=M 
(label  add.one)  ■ 


8.5.  file  LISPAX. 


We  define  tlie  basic  functions  of  LISP  and  give  their  properties  as  axioms.  We  have  basic- 
principles  of  induction  on  lists  and  S-expressions  and  primitive  recursive  definition  of  LISP  functions 
and  higher  order  functionals. 

(proof  lispax) 

;  ;  ;declarations :  note  that  t  and  nil  are  not  declared  ’■  EKL  knows  about  them 
;;;since  they  are  attached,  we  don’t  need  to  say  things  like  null  nil  etc. 

1.  (decl  car  (unaryname;  car)  (type:  1  ground-aground  I )  (syntype:  constant) 

(bindingpower :  950)) 

2.  (decl  edr  (unaryname:  edr)  (type:  I  ground-aground  I )  (syntype:  constant) 

(bindingpower:  950)) 

3.  (decl  atom  (unaryname:  atom)  (type:  lground-*truthval  1 )  (syntype:  constant) 

(bindingpower:  750)) 

4.  (decl  null  (unaryname:  null)  (type:  I ground-truthval I )  (syntype:  constant) 

(bindingpower:  750)) 

5.  (decl  listp  (unaryname:  listp)  (type:  lground-*truthval  | )  (syntype:  constant) 

(bindingpower:  750)) 

6.  (decl  alistp  (unaryname:  alistp)  (type:  Iground-»truthval  | ) 

(syntype:  constant ) (bindingpower :  750)) 

7.  (decl  sexp  (unaryname:  sexp)  (type:  |ground-*truthval  I )  (syntype:  constant) 

(bindingpower:  750)) 

8.  (decl  (u  V  w)  (type:  Igroundl)  (sort:  llistpi)) 

9.  (decl  (x  y  z)  (type:  Igroundl)  (sort:  jsexpD) 

10.  (decl  (xa  ya  za)  (type:  Igroundl)  (sort:  |atom|)) 

11.  (decl  (phi)  (type  :  .  |ground-»truthval  I )  ) 

12.  (decl  cons  (type;  I  (ground^ground) -►ground I )  (syntype:  constant) 

(infixname:  I . ( ) (pref ixname :  cons)  (bindingpower:  850)) 

;;;basic  axioms  and  sort  info 


13.  (axiom  I Vxa . s€xp(xa) ! ) 
(label  simpinfo) 
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14. 


15. 


16. 


17. 


18. 


19. 


20. 


21. 


22. 


23. 


24, 


25. 

26. 

27. 

28. 


29. 


30. 


(axiom  jVu.sexp  u| ) 
(label  simpinlo) 


(axiom  jVx  u.listp  x.ul) 

(label  simpinio) 

(axiom  IVu.nnull  u  3  listp  cdr  u|) 
(label  simpinlo) 

(axiom  |Vu.-inull  u  3  sexp  car  u|) 
(label  simpinlo) 

(axiom  iVx.-iatom  x  3  sexp  car  x|) 
(label  simpinlo) 

(axiom  iVx.'iatoro  x  3  sexp  cdr  xl) 
(label  simpinlo) 


(axiom  |Vx  y .sexp  x.y I) 
(label  simpinlo) 


(axiom  |Vx  y.natom  x.y I) 

(label  simpinlo) 

(axiom  |Vx  u.nnull  x.ul) 

(label  simpinlo) 

(axiom  iVu.null  u  3  u  =  nill) 

(label  simpinlo) 

(axiom  iVx  y.car  (x.y)  =  xl) 

(label  simpinlo) 

(axiom  iVx^y.cdr  (x.y)  =  yl) 

(label  simpinlo) 

(axiom  Icar  nil  =  nil!) 

(label  simpinlo) 

(axiom  |cdr  nil  =  nill) 

(label  simpinlo) 

(axiom  iVu.nnull  u  3  (car  u.cdr  u=u) I ) 
(label  simpinlo)  (label  cons_car_cdr) 

(axiom  iVx.-iatom  x  3  (car  x.cdr  x=x)  1 ) 
(label  simpinlo)  (label  cons.car.cdr) 


; ; ; induction 

(axiom  1 Vphi .phi(nil) a(Vx  u .phi(u)3phi(x.u))3(Vu.phi(u)) i ) 
(label  listinduction) 


31.  (decl  pars  (type:  Iground*!)) 

32.  (decl  (dl  dll  dl2)  (type:  | ground*ground*-»ground*  I )) 

33.  (decl  nilcase  (type:  lground*-*ground*  | )) 

34.  (axiom 

|Vdl  nilcase  del. 

(31un.(Vpars  x  u.lun(nil,pars)=nilcase(pars)A 

lun(x.u,pars)=del (x,u,lun(u,<il (x,pars))  ,pars)))  1 ) 
(label  listinductiondel ) 


35. 


(axiom 

I Vphi . (Vx.atom  x  3 
(label  sexpinduction) 


phi(x))A(Vx  y.phi(x)Aphi(y)3phi(x.y))3(Vx.phi(x)) I 


) 
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36.  (axiom 

iVatomcase  delsexp  dll  dl2.31un. 

Vpars  X  y  z. 

(atom  z  3 

lun(z,pars)==atomcase(z  ,pars))  A 
(lun(x .y ,pars)= 

delsexp(x,y,lun(x ,dll(x,y ,pars))  ,lun(y,dl2(x,y ,pars))  ,pars))  j) 
(label  sexpinductiondel) 

;a  high  order  delinition  schema  when  above  is  insullicient 

37.  (decl  (arb  arbl  arb2)  (type:  I ? arbitrary  I ) ) 

38.  (decl  bigfun  (type:  I ground«ground«®arb«earb-*®arb I )) 

39.  (decl  (delined.lun  atom^lim)  (type:  Iground-^fiarbl )) 

;this  is  the  primitive  recursive  schema  lor  delinition  on  ALL 
; higher  type  lunctionals: 

;note  the  use  ol  the  variable  type  in  declarations; 

;in  this  way  we  can  specialize  to  ANY  type. 

40.  (axiom 

iVbiglun  atom_lun.3delined.lun. 

Vx  y . (atom  x  3 

delin€d_lun(x)=atom_luii(x)  )A 
(delined.l un(x . y)= 

biglun(x,y ,delined_lun(x) ,delined_lun(y))) I ) 

(label  high.order.del inition) 

;;;  lists  ol  variable  numbers  ol  arguments  don^t  require  special  treatment, 
;;;  since  we  have  list  types  now 

41.  (decl  list  (type:  I  ground*  -»  ground  I)  (syntype:  constant)) 

42.  (decl  1st  (type:  Iground*!)) 

43.  (axiom  IlistO  =  nil!) 

(label  simpinlo) 

44.  (axiom  jVlst  .listpdist (1st))  I ) 

(label  simpinlo) 

45.  (axiom  jVx  1st .list (x ,1st)  =  x . list (1st) | ) 

(label  listdel) (label  simpinlo) 

;;;  this  is  lisp’s  append,  while  it  can  be  proved  associative,  it 
; ; ;  is  convenient  in  prods  ol  other  theorems  to  have  it  declared 
;;;  associative. 

46.  (decl  append  (type:  I ground^ground* (ground*) -aground I )  (syntype:  constant) 

(associativity:  both)  (inlixname:  *)  (bindingpower :  840)) 

47.  (delax  append  |Vx  u  v.nil*v=vA(x.u)*v=x. (u*v) 1 ) 

(label  appendel)  (label  simpinlo) 

48.  (axiom  jVu  v .listp(u*v) I ) 

(label  simpinlo)  (label  listappend) 

49.  (axiom  | Vu .u*nil=u | ) 

(label  simpinlo) 

50.  (axiom  iVx  v . (x.nil)*v=x.v| ) 

(label  simpinlo) 

; ; ;map  lunctions  on  lists 

51.  (decl  (allp  somep)  (syntype:  constant)  (type:  I  (®phi)*ground-»truthval  I ) ) 
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52.  (defax  allp 

iVphi  X  u.allpCphi ,nil)A 

allpCphi ,x.u)=il  phi(x)  then  allp(phi,u)  else  false  I) 
(label  allpdef) 

53.  (defax  somep 

IVphi  X  u.nsomep(phi,nil)A 

somep (phi, x.u)=if  phi(x)  then  true  else  somep(phi ,u) I ) 
(label  somepdef) 

54.  (defax  mapcar 

IVfn  x  u. mapcar (fn , nil)=nilAmapcar (fn, X. u)=fn(x) .mapcar(fn,u) I ) 
(label  mapcardef) 

55.  (decl  (alist)  (type:  ground)  (sort:  alistp)) 

56.  (axiom  iValist.  listp  alist I) 

(label  simpinfo) 

57.  (axiom  I Vu. alistp  u  =  (-inull  u  3 

natom  car  uAatom  car  (car  u)Aalistp(cdr  u))l) 

(label  alistdefl) 

58.  (axiom  |Vxa  y  alist. alistp  nil  A  alistp  (xa .y) .alist I ) 

(label  alistdef)  (label  simpinfo) 

59.  (decl  assoc  (type:  I ground^ground  -»  ground  1)  (syntype:  constant)) 

60.  (defax  assoc 

iVx  xa  y  alist .assoc(x,nil)=nilA 

assoc(x,(xa.y) .alist)=(if  x=xa 

then  xa.y 

else  assoc(x,alist)) I ) 

(label  assocdef) 

61.  (axiom  |Vx  alist. sexp  assoc (x , alist) I ) 

(label  simpinfo) 

62.  (decl  member  (type:  1  groTind^ground  truthvall)  (syntype:  constant)) 

63.  (defax  member  |Vx  y  u.  -jmember(x,nil)Amember(x,y  .u)  =  (x=yVmember(x,u))  | ) 
(label  memberdef) 

64.  (decl  uniqueness  (type:  |ground-*truthval  1 ) ) 

65.  (defax  uniqueness  iVu  x. uniqueness  nil  A 

(uniqueness (x .u)=nmember(x ,u) Auniqueness(u) ) I ) 

(label  uniquenessdef) 

66.  (ue  (phi  lAu.sexp  car(u)l)  list induct ion) 

(label  simpinfo) 

67.  (ue  (phi  I Au. listp  cdr(u)l)  listinduction) 

(label  simpinfo) 

(save-proofs  lispax) 


8.5.1.  file  ALLP. 


;properties  of  allp 
(wipe-out) 
(get-proofs  lispax) 
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;proofs  allp 
(proot  allpprop) 

1.  (trw  iVphi  X  u. allpCphi ,x.u)3phi(x)Aallp(phi ,u) 1  (open  allp)) 

;VPHI  X  U,ALLP(PHI,X,U)DPHI(X)aALLP(PHI,U) 

(label  allpfact)  ■ 

2.  (ue  (phi  I Au. (Vy .member(y,u)3phil(y)) 3allp(phil ,u) I ) 

listinduct ion  (open  allp  member)  (use  normal  mode:  always)) 
;VU.(VY.MEMBER(Y,U):>PHI1(Y))DALLP(PHI1,U) 

(label  allp^introduction)  ■ 

3.  (ue  (phi  I Au .member(x ,u) Aallp(phil ,u)3phil(x) I )  listinduction 

(part  1  (open  member  allp)  (use  normal  mode:  always))) 
;VU.HEMBER(X,U)AALLP(PHI1,U)3PHI1(X) 

(label  allp_elimination)  ■ 

4.  (ue  (phi  lAu.Va  al .allp(a,u)A(Vx.a(x)Dal(x))Dallp(al,u) I)  listinduction 

(open  allp)) 

;VU  A  A1.ALLP(A,U)A(VX.A(X)DA1(X))DALLP(A1.U) 

(label  allp.implication)  ■ 

(proof  somepprop) 

1.  (ue  (phi  I Au .member(y ,u) Aphil (y)3somep(phil ,u) j ) 

listinduction  (open  somep  member)  (use  normal  mode:  always)) 
;VU.MEMBER(Y,U)aPHI1(Y)DS0HEP(PHI1,U) 

2,  (derive  I Vu. (3y .member(y ,u)Aphil(y) )Dsomep(phil ,u) |  *) 

3.  (ue  (phi  |Au.somep(phil,u)3(ax.member(x,u)Aphil(x)) I) 

listinduction 

(part  1  (open  member  somep)  (use  normal  mode:  always)  (der))) 

;VU. SOMEP  (Pp^,U)3(3X.MEMBER(X.U)APHIl(X)) 

4,  (derive  1 Vu.somep(phil ,u)s(3x,member(x,u)Aphil(x)) |  (*  -2)) 

(label  someplact)  ■ 


file  SET. 


juselul  set  theory 
(wipe-out) 

(get-proofs  allp) 

(proof  sets) 

;all  urelements  will  be  S-expressions 
;all  S-expressions  will  be  urelements 

1.  (decl  (xv  yv  zv)  (type:  Igroundl)  (sort:  urelement)) 

2.  (decl  (av  bv)  (type:  jground-*truthval  I) ) 

3.  (axiom  iVx .urelement  xl) 

(label  simpinfo) 

4.  (axiom  | Vxv. sexp(xv) | ) 

(label  simpinfo) 

5.  (decl  epsilon  (type:  I ground«@av“*truthval  1 )  (infixname:  €)  (bindingpower :  925)) 

6.  (define  epsilon  IVav  xv . xv€av=av(xv) j ) 

(label  epsilondef) 


7. 


(axiom  iVav  bv. (Vxv .xv€avsxv€bv) 3av=bv 1 ) 

(label  set.extensionality) 

8.  (decl  intersection  (type:  |Cav*€av-»eav|) 

(inlixname;  n)  (bindingpower :  950)  (prelixname:  intersection)) 

9.  (define  intersection  |Vav  bv.avnbv=Axv. (av(xv)Abv(xv)) I) 

(label  interdef) 

10.  (decl  union  (type:  ! «av«fiav-»eav  1 ) 

(infixname:  U)  (bindingpower:  950)  (prefixname:  union)) 

11.  (define  union  iVav  bv.avUbv=Axv. (av(xv)vbv(xv)) I ) 

(label  uniondef) 

12.  (decl  inclusion  (type:  | ®av#eav-*truthval  1 ) 

(infixname:  c)  (bindingpower :  920)  (prefixname:  inclusion)) 

13.  (define  inclusion  jVav  bv .avCbv=Vxv.av(xv)Dbv(xv) I ) 

(label  inclusiondef ) 

14.  (defax  emptyset  | emptyset=Axv .f alse I ) 

15.  (defax  emptyp  I Vav,emptyp(av)=Vxv.-iav(xv)  1) 

;the  set  of  occurrences  of  an  S-exp 

16.  (decl  mkset  (type:  | ground-* « av |  ) ) 

17.  (define  mkset  I Vx .mkset(x)=(Ayv .yv-x) I ) 

(label  mkset^def) 

;the  set  of  members  of  a  list 

18.  (decl  mklset  (type:  I ground-*eav  I  ) ) 

19.  (define  mklset  IVu.mklset (u)“Ax .member(x ,u) I ) 

(label  mklsetdef) 

(proof  setfacts) 

;fact  about  mkset  and  mklset 

1.  (trs  I Vu.member(y ,u) Omkset(y)Cmklset (u) I 

(open  mkset  mklset  inclusion)  (der)) 

; VU . MEMBER( Y ,U) DHKSET ( Y) CMKLSET (U) 

(label  mkset _mklset)  ■ 

;double  inclusion 

2.  (ue  ((av.av)(bv,bv))  set_extensionality  (open  epsilon)) 

; (VXV . AV (XV) sBV(XV) ) 3AV=BV 

3.  (derive  1 avCbvAbvCavOav=bv |  (*)  (open  inclusion)) 

(label  double_inclusion)  ■ 

(save-proofs  set) 


8.7.  file  LENGTH. 


; facts  about  lengths  of  lists 
(get-proofs  set) 

(get-proofs  minus) 


(proof  length) 

1.  (decl  length  (type:  I ground-*ground  I )  (unaryname:  length)) 

2.  (define  length  |Vu  x. (length  nil=0) Alength(x .u)=(length  u) M 
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(use  listinductiondeD) 

(label  simpinlo)  (label  lengthdel) 

3.  (ue  (phi  lAu.natnum  length  ul)  listinduction  (open  length)) 
;VU.»ATirUM (LENGTH  U) 

(label  simpinlo)  ■ 

4.  (ue  (phi  jAu. (length  u=0)5null  u|)  listinduction 

(open  length)  (use  zero .not .successor)) 

LENGTH  U=05NULL  U 
(label  simpinlo)  ■ 

5.  (ue  (phi  jAu. length (u*v)=length  u+length  v|)  listinduction 

(open  append  length)) 

;Va. LENGTH  (U*V)=LENGTH  U+LENGTH  V 
(label  lengthadd)  (label  simpinlo)  ■ 

6.  (trw  llength(x.nil) i  (open  length)) 

;LENGTH  (X.NIL)=1 

(label  simpinlo)  ■ 

7.  (derive  I length(u)<nvn<length(u) I  trichotomy  (open  lesseq)) 

(label  trichotomy2)  ■ 

8.  (ue  (phi  1 Au. member (y,u)DO< length  u|)  listinduction  (open  member)) 
;VU.HEMBER(Y.U)DO<LENGTH  U 

(label  simpinlo) (label  have .member)  ■ 

9.  (ue  (phi  I Au. member (y ,u) Annuli  u|)  listinduction  (open  member)) 
;VU.MEMBER(Y,U)3-iNULL  U 

(label  simpinlo) (label  have.memberl)  ■ 

(save-prools  length) 


file  NTH:  Some  Appropriate  Inductive  Principles. 


(wipe-out) 

(get-prools  length) 

;now  we  need  to  tie  up  natural  numbers  and  s-expressions 

(axiom  iVn.sexp  n|) 

(label  simpinlo) 

(axiom  iVn.nnull(n) I ) 

(label  simpinlo) 

(prool  sets) 

;all  numbers  will  be  urelements 

(axiom  | Vn.urelement  nl) 

(label  simpinlo) 

;lorms  ol  doubleinduction 

(prool  listinduction) 

;a  uselul  principle  which  lollows  Irom  listinduction 
; corresponds  to  a  prool  by  cases  arguments 

(trw  iVphi .  (phi(nil) AVx  u.phKx  .u)  )3Vu.phi(u)  I  listinduction) 
;VPHI,PHI(NIL)A(VX  U.PHI(X.U))3(VU.PHI(U)) 
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(label  listcases) 

;the  next  principle  gives  a  convenient  lorm  lor  double  induction  on  lists 

(assume  |Vu  v  x  y.phi2(nil,u)Aphi2(u,nil)A(phi2(u,v)Ophi2(x.u,y.v)) I) 

(label  dindass) 

(ue  (phi  lAu.Vv.phi2(u,v) I)  listinduction 

(use  dindass)  (use  listcases  ue:  ((phi. |Av,phi2(x.u,v) D)  )) 

;VU  V.PHI2(U,V) 

;deps:  (DINDASS) 

(ci  (dindass)  *  )  , 

;(VU  V  X  Y.PHI2(NIL,U)APHI2(U.NIL)A(PHI2(U,V)DPHI2(X.U,Y.V)))3(W  V.PHI2(U,V)) 
(label  doubleinduction)  ■ 

;the  next  principle  gives  a  lorm  ol  double  induction  lor  lists  and  numbers 

(assume  iVu  n  x.phi3(nil,n)Aphi3(u,0)A(phi3(u,n)3phi3(x.u>n^ )) I ) 

(label  dindassl) 

(ue  (phi  lAu.Vn.phi3(u,n) I)  listinduction 

(use  dindassl)  (use  prool_by_induction  ue:  ((a. I An.phi3(x.u,n) D)  )) 

;VU  N.PHI3(U,N) 

;deps:  (DINDASSl) 

(ci  (dindassl)  *  ) 

;(VU  N  X.PHI3(NIL,N)aPHI3(U,0)a(PHI3(U.N)3PHI3(X.U,NO))3(VU  N.PHI3(U,N)) 
(label  doubleinductionl)  ■ 


8.9.  Nth. 


; basic  lacts  about  nth 
(prool  nth) 

1.  (decl  nth  (syntype:  constant)  (type:  | ground^ground-^ground |  ) ) 

2.  (delax  nth  iVx  u  n.nth(nil ,n)=nilAnth(u ,0)=car  uA 

nth(x.u  ,nO=nth(u,n)  1 ) 

(label  simpinlo)  (label  nthdel) 

j prove  by  double  induction  the  well*"delinedness  ol  nth 
;lor  the  obvious  range 

3.  (ue  (phi3  lAu  n.sexp  nth(u,n)|)  doubleinductionl  (open  nth)) 

;VU  N.SEXP  NTH(U,N) 

(label  simpinlo) (label  sexp^nth)  ■ 

iprove  by  double  induction  the  membership  ol  nth  in  the  original  list 

4.  (ue  (phi  lAu.O<length  u3member(nth(u,0) ,u) 1 )  listinduction 

(open  length  nth  member)) 

;VU.O<LENGTH  U3MEMBER(NTH(U , 0) ,U) 

(ue  (phi3  lAu  n.n<length  u  3  member(nth(u,n) ,u) 1 )  doubleinductionl 
(open  length  nth)  (use  memberdel  mode:  always) (use  ♦)) 

;VU  N.N<LENGTH  U3MEHBER(NTH(U,N) ,U) 

(label  nthmember)  ■ 


180 


ABOIT  PBRNirTATION'S  IN  LlSP  AND  EKT^ 


8.9.1.  Member  Nth. 


;member_nth 
(proof  member. nth) 

1.  (assume  1 (member(y ,u) D(3n .n<length  uAnth(u,n)=y)) |) 

(label  m.nl) 

2.  (assume  ly=x|) 

(label  m.n2) 

3.  (trw  |0<length(x.u)Anth(x.u,0)=yl  (open  nth)  *  ) 

;0<LENGTH  (X .U) ANTH(X .U, 0)=Y 

4.  (derive  l3n.n<length(x.u)Anth(x .u,n)=y I  *  ) 

(label  m.n3) 

5.  (assume  jmember(y ,u) I ) 

6.  (define  nv  lnv<length  uAnth(u,nv)=y |  (m.nl  *)) 

7.  (trw  jnv’<length(x.u) Anth(x.u,nvO=y I  (open  nth)  ♦  ) 

;NV»<LENGTH  (X  .U)ANTH (X  .U,NV 

8.  (derive  I 3n.n<length(x.u)Anth(x .u,n)=y |  *  ) 

(label  m_n4) 

9.  (assume  Imember (y ,x .u)  I  ) 

(label  m.n5) 

10.  (rw  *  (open  member)) 

;Y=XVMEMBER(Y,U) 

11.  (cases  *  m_n3  m_n4) 

;3N.N<LENGTH  (X .U) ANTH(X .U,N)=Y 

12.  (ci  m.nS) 

;MEMBER(Y,X.U)D(3N.N<LENGTH  ANTH(X .U,N)=Y) 

13.  (ci  m.nl) 

14.  (ue  (phi  I Au . member (y ,u) 0(3n .n<length  uAnth(u,n)=y) | )  listinduction 

(open  member  nth)  ♦  ) 

;VU.MEMBER(Y,U)3(3N.N<LEKGTH  UANTH(U,N)=Y) 

(label  member.nth)  ■ 


8.10.  Nthcdr. 


(proof  nthcdr) 

1.  (decl  nthcdr  (syntype:  constant)  (type:  |groundoground-»ground| ) ) 

2.  (defax  nthcdr  IVx  u  n.nthcdr(nil ,n)=nilAnthcdr(u,0)=uA 

nthcdr(x .u,nO=nthcdr(u,n)  I) 

(label  simpinfo)  (label  nthcdrdef) 

3.  (ue  (phi3  |Au  n.listp  nthcdr(u,n) | )  doubleinductionl) 

;VU  N.LISTP  NTHCDR(U,N) 

(label  simpinfo)  ■ 

4.  (ue  (phi  |Au.0<length  uOnth(u ,0) .nthcdr(u ,0 0=u  I )  listinduction 
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(part  2  (nuse  nthdel))) 

; VU . 0<LENGTH  UDNTH (U , 0) . NTHCDR (U ,  1 )  =U 
(label  nth^nthcdr.zero)  ■ 

;car  nthcdr 

5.  (ue  (phi3  | Au  n . car(nthcdr(u,n) )=nth(u,n)  1)  doubleinductionl) 

;VU  N.CAR  NTHCDR(U,N)=NTH(U,N) 

(label  car.nthcdr)  ■ 

;cdr  nthcdr 

6.  (ue  (phi  lAu.cdr(nthcdr(u,0))=nthcdr(u,0OI)  listinduction) 

;VU.CDR  U=NTHCDR(U,1) 

7.  (ue  (phi3  lAu  n.cdr(nthcdr(u,n))=nthcdr(u,nO  1 )  doubleinductionl  *  ) 
;VU  K.CDR  NTHCDR(U,N)=NTHCDR(U,N O 

(label  cdr_nthcdr)  ■ 

; nthcdr  car  cdr 

8.  (ue  (phi  |Au.0<length(u)Dnthcdr(u,0)=nth(u.0).nthcdr(u,0O  I) 

listinduction  (  car^nthcdr  cdr .nthcdr)) 

9.  (ue  (phi3  |  Au  n.n<length(u)3nthcdr(u,n)=nth(u,n)  .nthcdr(u,nO  I  ) 

doubleinductionl  (use  car.nthcdr  cdr.nthcdr)  ♦  ) 

;VU  N.N<LEKGTH  UDHTHCDR(U.N)=NTH(U,H) .NTHCDR(U,N O 
(label  nthcdr. car^cdr)  ■ 

;nth  in  nthcdr 

10.  (ue  (phi3  I Au  n.Vm.n<mAm<length  uDmember(nth(u,m) , nthcdr (u,n)) i) 
doubleinductionl 

(use  nthmember  mode:  exact) 

(use  prooi.by.induction 

ue:  ((a. |Am. (n'<mAm<length(u) ’3 

member (nth(x.u,m) ,nthcdr(u,n))) I )) 

mode:  exact)) 

;VU  N  M.N<MaM<LENGTH  U3MEMBER(HTH(U,M) »NTHCDR(U,N) ) 

11.  (trw  iVu  n  m.n<mAm<length(u)3member(nth(u,m) ,nthcdr(u,n)) I 

(open  lesseq  member) (use  normal  mode:  always) 

(use  *  nthcdr_car.cdr  mode:  exact)) 

;VU  N  M.N<MaM<LENGTH  UDMEMBER(NTH(U,H) ,NTHCDR(U,N) ) 

(label  nth.in.nthcdr)  ■ 

;nth  nthcdr 

12.  (ue  (phi3  (Au  n.n<length  uAm<length(nthcdr(u,n))D 

nth(nthcdr(u,n) ,m)=nth(u,m+n) I ) 
doubleinductionl  ) 

;VU  N.N<LENGTH  UaM<LENGTH  (NTHCDR(U,N))DNTH(NTHCDR(U,N) .M)=NTH(U,M+N) 
(label  nth.nthcdr)  ■ 

; length  nthcdr 

13.  (ue  (phi3  1 Au  n.n<length  u31ength(nthcdr(u,n))=length  u-n() 

doubleinductionl  (use  successor.minus  mode:  always) 

(open  minus)  (part  1#1#1  (open  lesseq))) 

;VU  M.N<LENGTH  U3LENGTH  (NTHCDR(U,N))=LENGTH  U~N 
(label  length.nthcdr)  ■ 

;last  nthcdr 

14.  (ue  (phi  lAu.nthcdr(u,length(u))=nill)  listinduction) 

;VU. NTHCDR (U, LENGTH  U)=NIL 
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(label  last^nthcdr)  ■ 

; trivial  nthcdr 

15.  (ue  (phi3  |Au  ii.length(u)<nDnthcdr(u,n)==nil I )  doubleinductionl 

(part  1#1  (open  lesseq))) 

(label  trivial_nthcdr)  ■ 

; allp^nthcdr 

16.  (ue  (phis  I Au  n,allp(a,u)Dallp(a,nthcdr(u,n)) I)  doubleinductionl 

(open  allp)) 

; VU  H . ALLP (A .U) DALLP ( A . »THCDR(U , N) ) 

(label  allp.nthcdr)  ■ 


8.10.1,  Nthcdr  Induction. 

Using  induction  on  n,  we  show: 

Vn . phi (nthcdr (u , length (u) -n) ) . 

For  n=0,  nthcdr (u, length (u)-n)  is  NIL,  and  we  have  phi(nil). 

Assume  phi  (nthcdr  (u,  length(u)  *n) ).  Since  subtraction  is  defined  as  a  total  function  on 
nonnegative  integers,  we  have  for  n>length(u), 

length(u)“n  =  0  =  length(u)-n\ 

so  in  this  case  the  induction  step  is  trivial. 

If  n<  length (u),  then 

length(u)-n=  (length (u)-n’ )  " 

by  elementary  arithmetic  and 

Vk.k<length(u)3  (phi(nthcdr(u,kO )3  phi(nthcdr(u,k) ) ) 

is  the  inductive  step  of  our  principle.  We  can  complete  the  induction  step  by  letting  k  to  be 
length (u)-n^: 


phi (nthcdr (u , length (u) -n) ) 3  phi (nthcdr (u , length (u) -n ’ ) ) . 
Finally  it  is  convenient  to  write 

nthcdr (u,k) 

as 

nth(u,k)  .nthcdr(u,kO 


(using  lemma  Nthcdr  Car  CV/r). 
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(proof  nthcdr_induction) 

1.  (assume  | Vn.n<length(u) Aphi(nthcdr(u,nO)3 

phi(nth(u,n)  .iithcdr(u,nO)  1) 

(label  n.i.l) 

;deps:  (N_I,1) 

2.  (derive  I Vn.n<length(u)D 

(phi(iithcdr(u,iiO)3phi(nthcdr(u,n)))  I  ♦ 

(use  iithcdr_car_cdr  mode:  always)) 

(label  n_i_2) 

;deps:  (N^I_1) 

;  two  cases 

3.  (derive  | length (u)<nVn<length(u) I  trichotomy2) 

(label  n_i_cases) 

;one  completely  trivial 

4.  (assume  1  length (u)<ni ) 

(label  n_i_cl) 

;deps:  (N^I^Cl) 

5.  (trw  )phi(nthcdr(u,length(u)-n))D 

phi(nthcdr(u,length(u)-nO)  I 

(open  minus  pred)(use  total_subtraction  n_i_cl  mode;  always)) 
(label  n^i_casel) 

;PHI(NTHCDR(U, LENGTH  U-N))3PHI(NTHCDR(U, LENGTH  U-NO) 

;deps:  (N^I.Cl) 

;the  other  quite  trivial  too... 

6.  (assume  I n<length(u) I ) 

(label  n_i^c2) 

;deps:  (6) 

7.  (ue  (n  !length(u)-(nO  I )  n_i_2 

(use  n_i_c2)(use  minusfactll  ue;  ((n. jlength(u) 1 ))  ) 

(use  minusfactlO  mode:  exact  direction:  reverse)) 

(label  n_i_case2) 

;PHI(NTHCDR(U, LENGTH  U-N))3PHI(NTHCDR(U, LENGTH  U-NO) 

;deps:  (N_I_1  N^I_C2) 

8.  (cases  n.i^cases  n.i^casel  n_i_case2) 

;PHI(NTHCDR(U, LENGTH  U-N))DPHI(NTHCDR(U, LENGTH  U-NO) 

;deps:  (N_I_1) 

9.  (ue  (a  Un.phi(nthcdr(u,length(u)-n)) I ) 

proof _by_induction  * 

(part^l  (use  last_nthcdr  mode:  exact)  (open  minus))  ) 

(label  n_i_5) 

;PHI(NIL)3(VN,PHI(NTHCDR(U, LENGTH  tJ-N))) 

;deps:  (N_I_1) 

; cosmetics 

10.  (assume  | phi (nil) I) 

(label  n^i_6) 

;deps:  (10) 

11.  (derive  ! Vn. phi (nthcdr(u, length  u-n))l  (n_i_5  n_i_6)) 

;deps:  (N_I^1  N.I_6) 

12.  (ue  (n  llength  ul)  *  ) 

;PHI(U) 
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;deps:  N_I_6) 

13.  (ci  (n_i.6  n_i_l)) 

:PHI(HIL)A(VN.N<LENGTH  UAPHI(NTHCDR(U,N ’ ))3PHI(NTH(U,N) .NTHCDR(U,N’)))3 
:PHI(U) 

(label  nthcdr.induction)  ■ 


8.11.  Fstposition. 


;lacts  about  fstposition 
(proof  f stpositionprop) 

1 .  (trw  I  Vk. -inull  kM  ) 

(label  simpinfo) 

2.  (ue  (phi  |Au.(null  fstposition(u,y)3nmember(y ,u)) A 

(member(y,u)Dnatnum  f stposition(u,y) )A 

(null  fstposition(u,y)vnatnum  fstposition(u,y)) I )  listinduction 
(part  1  (open  member  fstposition)  (use  normal  mode:  always))) 

;VU.(mJLL  FSTPOSITIOK(U,Y)3-.MEHBER(Y,U))a 
;  (MEMBER(Y,U)DNATNUM(FSTPOSITION(U,Y)))a 
;  (NULL  FSTPOSITION (U,Y)VNATNUM(FSTPOSITION(U,Y))) 

(label  simpinfo) (label  posfacts)  ■ 

3.  (ue  (phi  lAu.Vy.sexp  f stposition(u ,y) ! )  listinduction 

(part  1  (open  member  fstposition)  (use  normal  mode:  always))) 

;VU  Y.SEXP  FSTP0SITI0N(U,Y) 

(label  simpinfo) (label  sortpos)  a 

;pos_length 

4.  (ue  (phi  I Au.Vy.member(y ,u)3fstposition(u,y)<length(u) I)  listinduction 

(part  1  (open  member  fstposition)  (use  normal  mode:  always))) 

;VU  Y.MEMBER(Y,U)3FSTP0SITI0N(U,Y)<LENGTH  U 
(label  pos_length)  B 


8.11.1.  Fstposition  and  Nth. 


; lemmata  nth_f stposition  and  f stposition_nth 
; lemma  nth_f stposition 

1.  (ue  (phi  I Au,Vn.member(n,u)3nth(u,fstposition(u,n))=nl)  listinduction 
(use  normal  mode:  always) 

(open  member  fstposition  nth)) 

;VU  N.MEMBER(N,U)DNTH(U,FSTPOSITION(U,N))=N 
(label  nth_f stposition)  a 

(proof  f stposition.nth) 

1.  (ue  (phi  lAu.O<length  u3f stposition(u ,nth(u ,0) )=0 | ) 

listinduction  (open  fstposition  nth  member)) 

;VU.0<LENGTH  U3FSTP0SITI0N(U,CAR  U)=0 

2. 


3. 


(derive  ln<length  u  A  x”nth(u,n)  0  member(x,u)|  (nthmember)) 

(derive  I uniqueness(x .u) An<length  u3-ix=nth(u,n)  1  *  (open  uniqueness)) 
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4.  (ue  (phis  |Au  n. uniqueness  uAn<length  uSistpositionCu ,nth(u,n))“nl) 
doubleinductionl  * 

(open  Istposition  nth  member  uniqueness)  -3  nthmember) 

;VU  N. UNIQUENESS (U)aN<LENGTH  UDFSTP0SITI0N(U,NTH(U,N) )=N 
(label  istposition.nth)  ■ 


8.12.  Injectivity. 


; injectivity 

; another  predicate  lor  uniqueness 
(prool  inj) 

1,  (decl  (inj)  (type:  Iground-^truthvalD) 

2.  (deline  inj  iVu.inj (u)=Vn  n .n<length(u)Am<length(u)Anth(u,n)=Tith(u,m)3n=ml ) 

(label  injdel) 

We  want  to  show  that  the  following  properties  of  a  list  u  are  equivalent: 

(i)  uniqueness:  for  every  member  x,  x  does  not  belong  to  the  tail  of  u  after  x; 

(ii)  injectivity:  if  nth(u,/)  ==  nth(u,j)  then  i  =  j. 

The  property  of  uniqueness  holds  for  all  the  tails  of  a  list,  if  it  holds  for  the  list:  this  fact 
(needed  later,  line  14)  is  easily  established  l\v  double  induction  on  lists  and  numbers. 

; equivalence  ol  uniqueness  and  inj 
(prool  uniqueness. inj) 

1.  (ue  (phi 3  5'-^  n. uniqueness  u^uniqueness  nthcdr (u,n)  | )  doubleinductionl  ^ 

(open  uniqueness  nthcdr)) 

; VU  N  .UNI QUEMESS (U) DUN IQUENESS (NTHCDR (U , N) ) 

(label  uniqueness.nthcdr) 

Assume  uniqueness (u)  (line  2).  We  want  to  show  inj  (u).  Therefore  we  assume  nth(u,/)  = 
)ith{u,j),  with  i  and  j  both  less  than  length (u)  (lines  2.  3  and  4).  We  need  to  obtain  i  =  j  (line 
13).  We  will  derive  a  contradiction  (rom  the  assumption  that  either  i  <  j  or  j  <  i  (lines  9  and  12) 
and  apply  the  trichotomy: 

Vn  m.ni<nvm=nvn<m. 

Assume  i  <  j.  Then  nth(u,j)  is  a  member  of  nthcdr(u,i')  (line  8).  (this  is  the  fact  .Mh 
in  Nthcdr).  But  this  contradicts  the  fact  that  nthcdr(u,7?)  enjoys  the  uniqueness  property.  So 
-lU  <  ni. 

Similarly  for  ni  <  n. 

2.  (assume  1  uniqueness (u) 1 ) 

(label  uil) 

3.  (assume  ii<length  u|) 

(label  ui2) 

4.  (assume  lj<lGngth  u|) 

(label  ui3) 

5.  (assume  !nth(u,i)=nth(u, j) I ) 

(label  ui4) 

6.  (derive  | uniqueness(nthcdr(u , i) ) I (uniqueness_nthcdr  uil)) 
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7.  (rw  *  (use  nthcdr.car^cdr  ui2  mode:  always)  (open  uniqueness)) 

;  -.MEMBER (  NTH  (U ,  I )  ,  NTHCDR  (U ,  I O  )  AUN IQUENE SS  (  NTHCDR  (U ,  I  O  ) 

;deps:  (UIl  UI2) 

; labels:  NTH.IN.MTHCDR 

;VU  N  M.N<MAM<LENGTH  tJDMEMBER(NTH(U,M)  ,NTHCDR(U,N) ) 

8.  (ue  ((u.u)(n.  liM  )  (m.  j))  nth_in_nthcdr 

(use  ui4  mode:  exact  direction:  reverse) 

(use  ui3  ♦  mode:  exact)) 

;nI’<J 

;deps:  (UIl  UI2  UI3  UI4) 

; labels :  LESS^LESSEQSUCC 
;VM  N.M<N=M^<N 

9.  (ue  ((m.i)(n.j))  less^lesseqsucc  ♦  ) 

(label  ui^wayl) 

;deps:  (UIl  UI2  UI3  UI4) 

10.  (ci  (uil  ui2  ui3  ui4)) 

;UNIQUENESS(U)AI<LEKGTH  UAJ<LENGTH  UAKTH(U, I)=NTH(U, J)DnI<J 

11.  (ue  ((i.j)(j.i))  *  ) 

;UNIQUENESS(U)AJ<LENGTH  UAKLENGTH  UANTH(U, J)=KTH(U, I)0-.J<I 

12.  (derive  |-ij<il  (*  uil  ui2  ui3  ui4)) 

(label  ui_way2) 

;deps:  (Uil  UI2  UI3  UI4) 

13.  (derive  1 i= j 1  (trichotomy  ui.wayl  ui_way2)) 

;deps:  (UIl  UI2  UI3  UI4) 

14.  (ci  (uil  ui2  ui3  ui4)) 

;UNIQUENESS(U)aI<LENGTH  UaJ<LENGTH  UaNTH(U,I)=NTH(U,J)3I=J 

15.  (trw  |uniqueness(u)Dinj (u) I  *  (open  inj)) 

;UNIQUENESS (U) 0 INJ (U) 

(label  uniqueness_inj) 

We  prove  inj  (u)3uniqueness(u)  by  list  induct  ion.  It  is  easy  to  see  that  inj(x.u)  im¬ 
plies  inj(u)  (line  4)  and  hence  uniqueness (u),  by  induction  hypothesis.  We  need  to  show 
-imember(x,u),  in  order  to  conclude  uniqueness (x.u).  If  x  was  a  member  of  u,  it  would  be 
the  (?zo  +  l)-th  member  of  .t.u,  for  some  no,  and  we  would  have  nth(x.u,(no  +  l))=nth(x .u,0) 
(line  7):  by  the  definition  of  inj  this  implies  no  +  1  =  0. 

1.  (assume  | inj (u) Juniqueness(u) I ) 

(label  inj_unl) 

2.  (assume  I inj (x.u) I ) 

(label  inj.un2) 

3.  (rw  *  (open  inj)) 

;VN  M.N<LENGTH  U»AM<LENGTH  U' ANTH(X.U,N)=NTH(X .U,M) JN=M 
(label  inj_un3) 

;deps:  (INJ_UN2) 

4.  (trw  I  inj  u|  (open  inj)  (use  ^  ue:  ((n.  InM  )(m.  ImM ))  )  ) 

;INJ(U) 

5.  (derive  | uniqueness  u|  (♦  inj_unl)) 

(label  inj_un4) 
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;deps:  (INJ.UN2) 

6.  (assume  1  member (x ,u) I) 

(label  inj^unS) 

7.  (deline  nv  lnv'<length<x .u)Anth(x.u,nvO=nth(x .u,0)  I 

(*  member _nth) ) 

;NV  is  unknown. 

;the  symbol  NV  is  given  the  same  declaration  as  N 
;deps:  (INJ.UN5) 

8.  (rw  *) 

;NV<LENGTH  UaNTH(U,MV)=X 
;deps;  (INJ.UNB) 

9.  (ue  ((n.  InvMXm.  lOD)  inj_un3  *) 

'FALSE 

•deps:  (IHJ_UII2  INJ.UHS) 

10.  (ci  inj.unS) 

;-iMEMBER(X,U) 

;deps:  (INJ_UN2) 

11.  (trw  luniqueness(x.u) I (open  uniqueness)  (*  inj_un4)) 

11.  :UNIQUENESS(X.U) 

;deps:  (INJ.UNl  INJ_tJH2) 

12.  (ci  inj_un2) 

:INJ(X.U)bTI»IQUENESS(X.U) 

;deps:  (INJ.UNl) 

13.  (ci  INJ.UNl) 

;  ( INJ(U) JUBIQUENESS (U) ) D (IN J(X .U) 3UNIQUENESS (X .U) ) 

14.  (ue  (phi  |Au.inj(u)buniqueness(u) I )  listinduction 

♦  (part  1#1  (open  inj  uniqueness))) 

:  VU .  IN J (U) 3UHIQUENESS (U) 

(label  inj.uniqueness) 

15.  (derive  |Vu.uniqueness(u)=inj(u) I  (uniqueness.inj  inj.uniqueness)) 

(label  uniqueness.injectivity)  ■ 


Nth,  Allp  and  Mklset. 


;prool  ol  facts  about  sets 

(proof  setfacts) 

;nth„allp 

1.  (assume  lVn.n<length(u)3phil (nth(u ,n)) I ) 

(label  allp.intrl) 

2.  (ue  ((phi. Uu.allp(phil,u)  |)(u.u))  nthcdr^induction 

(open  allp)  (use  *  mode:  always)) 

; ALLP (PHI 1,U) 

3.  (ci  allp.intrl) 

; ( VN . N<LENGTH  UDPHIl (NTH (U , N) ) ) DALLP (PHI 1 ,U) 

(label  nth.allp)  ■ 

;m>:lset_f  act 
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4.  (derive  I Vx. (mklset(u)) (x)s(3k .k<length  uAnth(u,k)=x) I 

(nthmember  member^nth)  (open  mklset)) 

5.  (ue  ( (av . 1 mklset (u) I ) (bv . I  Ax . (3k .k<length  uAnth(u ,k)=x) I) )  set_extensionality 

*  (open  epsilon)  ) 

;HKLSET(U)=(AX. (3K.K<LENGTH  UaNTH(U,K)=X) ) 

(label  mklset,! act )  ■ 

(save-prools  nth) 


8.14.  file  APPL:  Functions  Represented  by  Association  Lists. 


;!unction  as  alists:  the  notion  o!  application  lor  association  lists 
(proof  appalist) 

1.  (decl  dom  (type:  I ground-»ground I ) ) 

2.  (defax  dom  |Vxa  y  alist.dom  nil=nilA 

dom((xa.y) .alist)=xa.dom  alist I  ) 

(label  domdef) 

3.  (decl  range  (type:  | ground-»groundl )) 

4.  (defax  range  iVxa  y  alist. range  nil=nilA 

reLnge((xa.y)  .alist)=y. range  alist  i  ) 

(label  rangedef) 

5.  (decl  functp  (type:  lground-*truthval  1 )) 

6.  (define  functp  I Valist  .f unctp(alist)=uniqueness  dom(alist)l) 

(label  functdef) 

7.  (decl  injectp-^^ype :  I  ground-»truthval  | )) 

8.  (define  injectp  1  Valist .  injectp(alist)=functp(alist)Auniqueness  rang€(alist )  I ) 
(label  injectdef) 

9.  (decl  (appalist)  (type:  j  ground^groiind-^ground  I  ) ) 

10.  (define  appalist  j Valist  y. appalist (y , alist )=cdr  assoc(y ,alist) I ) 

(label  appalistdef) 

11.  (decl  (samemap)  (type:  I ground«ground-»truthval  1 )) 

12.  (define  samemap 

iValist  alistl .samemap(alist , alistl)2 

mklset  dom(alist)=mklset  dom(alistl)A 

(Vy .y€mklset  dom(alist)3appalist(y,alist)=appalist(y, alistl)) | ) 
(label  samemapdef) 

13.  (define  permutp  1 Valist .permutp(alist)s 

functp(alist)  Amklset(dom(alist))=iaklset(range(alist))  ! ) 

(label  permutp,def) 
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8.14.1.  Alist  Induction. 


(proof  alistind) 

1.  (assume  (chi(nil)A(Vxa  y  alist .chi(alist)Dchi((xa.y) .alist)) I) . 

(label  alindl) 

2.  (assume  jalistp  uDchi  ul) 

(label  alind2) 

3.  (assume  lalistp  (x.u)|) 

(label  alind3) 

4.  (ue  (alist  lx.ul)  alistdell  *  ) 

;-iAT0M  XAATOM  CAR  XAALISTP  U 

5.  (derive  1 (Vxa  y  alist .chi(alist)3chi( (xa.y) .alist)) I  alindl) 

6.  (ue  ((xa.lcar  x 1 ) (y . 1 cdr (x) I ) (alist .u))  ♦  -2  alindS  alind2) 

;CHI(X.U) 

;deps:  (ALINDl  ALIND2  ALIND3) 

7.  (ci  alindS) 

;ALISTP  X.UDCHI(X.U) 

;deps:  (ALIWDl  ALIND2) 

8.  (ci  alind2) 

;(ALISTP  UDCHI(U))D(ALISTP  X .U3CHI (X .U)) 

;deps:  (ALINDl) 

9.  (ue  (phi  |Au.alistp(u)Dchi(u) 1)  listinduction  *  alindl) 

;VU.ALISTP  UDCHI(U) 

10.  (derive  iValist.chi  alist I  ♦  ) 

;deps:  (ALINDl) 

11.  (ci  alindl) 

;CHI(NIL)a(VXA  Y  ALIST. CHI(ALIST)3CHI((XA. Y) .ALIST))D(VALIST.CHI(ALIST)) 
(label  alistinduction)  ■ 


8.14.2.  Facts  About  Association  Lists. 


;facts  about  alists 
(proof  alistfacts) 

;domsort 

1.  (ue  (chi  j Aalist .listp  dom(alist)l)  alistinduction  (open  dom)) 

;VALIST.LISTP  DOM(ALIST) 

(label  simpinfo) (label  domsort)  ■ 

2.  (ue  (chi  I Aalist . listp  range(alist) I )  alistinduction  (open  range)) 

;VALIST. LISTP  RANGE(ALIST) 

(label  simpinfo) (label  rangesort)  ■ 

;domlength 

(ue  (chi  1 Aalist .length  dom  alist=length  alist |)  alistinduction  (open  dom)) 
;VALIST. LENGTH  (DOM(ALIST) ) ^LENGTH  ALIST 
(label  domlength)  ■ 
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;domrange length 

4.  (ue  (chi  I Aalist .lengthCdom  alist)=length(range  alist)l)  alistinduction 

(open  dom  range)) 

;VALIST. LENGTH  (DOM(ALIST))=LENGTH  (RANGE(ALIST)) 

(label  domrange length)  ■ 

;appalistsort 

5.  (ue  (chi  1 Aalist. sexp  appalist(y ,alist) I )  alistinduction 

(part  Kopen  appalist  assoc))) 

;VALIST.SEXP  APPALIST (Y ,ALIST) 

(label  simpinfo) (label  appalistsort)  ■ 

; trivial  appalist 

6.  (ue  (chi  I  Aalist  .T(y€iiiklset  dom(alist))Dappalist(y  ,alist)=nil| )  alistinduction 

(part  1  (open  epsilon  mklset  dom  appalist  assoc  member))) 
;VALIST.-iY€MKLSET(DOM(ALIST))DAPPALIST(Y.ALIST)=NIL 
(label  trivial.appalist)  ■ 


8.14.3.  Samemap  Definition. 


(prool  samemap) 

1.  (trw  |samemap(alist ,alist) 1 (open  samemap)) 

;  SAMEMAP ( ALIST . ALIST) 

(label  samemap. equivalence) 

2.  (trH  |samemap(alist ,alistl)3samemap(alistl ,alist) I  (open  samemap  mklset  dom)) 
;SAMEMAP(ALIST,ALIST1)3SAMEMAP(ALIST1 , ALIST) 

(label  samemap.equivalence) 

3 .  (trv  I samemap(alist ,alistl) Asamemap(ali5tl ,alist2)3samemap(alist ,alist2) I 

(open  samemap  mklset  dom)) 

;SAMEMAP(ALIST.ALIST1)aSAMEMAP(ALIST1,ALIST2)DSAMEMAP(ALIST.ALIST2) 

(label  samemap.equivalence)  ■ 

; apparently  stronger  definition  of  samemap 
(proof  samemapdef) 

1.  (assume  I samemap(alistl ,alist2) I ) 

2.  (r«  *  (open  samemap)) 

;MKLSET(D0M(ALIST1 ) )=MKLSET(D0M(ALIST2) ) A 

;(VY.Y€MKLSET(D0M(ALIST1))DAPPALIST(Y,ALIST1)=APPALIST(Y.ALIST2)) 

3.  (trw  |-ry€mklset(dom(alistl))3appalist (y ,alistl)=appalist (y,alist2)  I 

(use  trivial.appalist  mode:  always) 

(use  ♦  mode:  exact)) 

;-iY€MKLSET(D0M(ALISTl))DAPPALIST(Y.ALISTl)=APPALIST(Y,ALIST2) 

4.  (ue  ((q, I yGmklset  dom(alistl) I ) (p. lappalist(y ,alistl)=appalist (y,alist2) I )) 

excluded.middle  *  -2) 

;APPALIST(Y,ALIST1)=APPALIST(Y.ALIST2) 

5.  (derive  |mklset(dom(alistl) )=mklset (dom(alist2) )A 

Vy .appalist(y,alistl)=appalist(y ,alist2) I  (-3  ♦)) 

6.  (ci  -5) 

;SAMEMAP(ALIST1 ,ALIST2)D 
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;MKLSET(DOM(ALIST1))=HKLSET(DOM(ALIST2))A 

;(VY.APPALIST(Y,ALIST1)=APPALIST(Y,ALIST2)) 

7.  (derive  t samemapCalistl »alist2)= 

(mklset  (doin(alistl))=mklset(dom(alist2))A 
(Vx.appalist (x,alistl)=appalist(x,alist2))) I  *  ) 

(label  samemap.dell)  ■ 


8.15.  Functions  Represented  by  Lists  of  Numbers. 


;timctioiis  as  lists  ot  numbers 

(wipe-out) 

(get-prools  pigeon) 

(prool  appl) 

1.  (deline  appl  iVu  i .appl(u,i)=nth(u,i) I ) 

(label  appldel) 

2.  (axiom  jVu  i.Klength  u  3  sexp ( appl (u,i))Amember( appl (u, i)  ,u)  | ) 

(label  appllacts)  (label  simpinlo) 

;predicates  lor  lunctions 

3.  (decl  (into)  (type:  Iground-truthvalD)  m 

4.  (deline  into  |Vu.into(u)=(Vn.n<length  uDnatnum  nth(u,n)Anth(u.n)<length  ui U 

(label  intodel) 

5.  (decl  (onto)  (type:  Iground-^truthvall )) 

6.  (deline  onto  1 Vu.onto(u)=(into(u) A(Vn.n<length  u3member(n,u)) ) j ) 

(label  ontodel) 

7.  (decl  (perm)  (type:  Iground-truthvall )) 

8.  (deline  perm  | Vu.perm(u)=onto(u) I ) 

; injectivity  is  given  by  the  predicate  inj 
(save-prools  appl) 


8.15.1.  Extensionalit  y. 


(wipe-out) 

(get-prools  appl) 

(prool  extensionality) 

1.  (assume  I  length  u=length  vA(Vi .Klength  v3nth(u,i)=nth(v,i))=>u=vl  ) 
(label  extl) 

2.  (assume  | length  u=length  vl) 

(label  ext2) 

3.  (assume  lVi.i<length  vOnth(x  .u ,  i)=nth(y  .v ,  i)  I ) 

(label  ext3) 

4.  (ue  (i  0)  ♦  ext2) 
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5.  (ue  (i  liM)  ext3  ext2) 

;I<LENGTH  VDNTHCU,  I)==NTH(V,I) 

(label  extS) 

;deps:  (EXT2  EXT3) 

6.  (derive  (u=v|  (extl  ext2  ext5)) 

(label  ext6) 

Ideps;  (EXTl  EXT2  EXT3) 

7.  (trw  |x.u=y.v!  (use  ext4  ext6  mode:  exact)) 

;X.U=Y.V 

Ideps:  (EXTl  EXT2  EXTS) 

8.  (ci  (ext2  ext3)) 

iLENGTH  U=LENGTH  VA(VI .  I<LENGTH  UONTH(X.U,I)=NTH(Y.V,I))DX.0=Y.V 
ideps:  (EXTl) 

9.  (ci  extl) 

; (LENGTH  U=LENGTH  VA (VI . KLENGTH  U3NTH(U,I)=NTH(V ,I))DU=V)3 
iCLENGTH  U=LENGTH  VA(VI .  KLENGTH  UONTHCX  .U,I)=NTH(Y.V,I))DX.U=Y.V) 

10.  (ue  (phi2  |Au  v. length  u=length  vA(Vi .i<length  uDnth(u,i)=nth(v ,i))3u=v ! ) 

doubleinduction  (open  nth)  ♦  ) 

;VU  V. LENGTH  U=LENGTH  VA (VI . KLENGTH  VDNTH(U,I)=NTH(V,I))3U=V 
(label  extensionality)  ■ 

11.  (trw  |Vu  i.i<length  u  3  sexp(appl(u,i))Am€mber(appl(u ,i) ,u) I 

(open  appl)  nthmember) 

;VU  I.I<LENGTH  U3SEXP  APPL(U , I) AMEMBER(APPL(U, I) ,U) 

(label  appliact)  (label  simpinlo)  ■ 


8.16,  file  SUMS:  Finite  Union  and  Finite  Sum. 


;the  notions  of  finite  union  and  finite  sum 
(sipe-out) 

(get-proofs  appl) 

(proof  sums) 

1.  (decl  allnum  (type:  I  ground*eset-*truthval  I )  (syntype:  constant)) 

2.  (decl  somenum  (type:  |ground*eset-*truthval| )  (syntype:  constant)) 

3.  (decl  (numseq  f)  (type  :  |ground-»ground|)) 

4.  (decl  sum  (type:  1  (enumseq)«(«n)-»(«n)  I )  (syntype:  constant)) 

5.  (decl  setseq  (type:  l®n-»eset|)) 

6.  (decl  un  (type:  |  (@s€tseq)«(®n)-*(^set)  | )  (syntype:  constant)) 

; axiom  for  allnum 

7.  (defax  allnum  jVn  a.allnum(0  ,a)A(allnum(n\a)Ha(n)Aallnum(n,a))  1 ) 

(label  allnumdef) 

; axiom  for  somenum 

8.  (defax  somenum  jVn  a. -isomenum(0  ,a)  A(somenum(n\a)=a(n)Vsomenum(n,a))  1 ) 

(label  somenumdef) 

; axiom  for  sum 

9.  (defax  sum  |Vn  numseq. sumCnumseq, 0)=0Asum(numseq, nO=sum(numseq, n)+numseq(n)  |  ) 
(label  sumdef) 


laxiom  for  un 


Section  8 


1();{ 


10.  (delax  un  |Vn  setseq.un(setseq,0)=einptysetAun(setseq,ii’ )=un(setseq,n)Usetseq(n)  I ) 

(label  undel) 

11.  (decl  disj^pair  (syntype:  constant)  (type:  1  (@set^@set)-*truthval I )) 

12.  (define  disj^pair  |Va  b. dis j„pair(a,b)=einptyp(anb)  1) 

(label  disjpair_def) 

13.  (decl  disjoint  (syntype:  constant)  (type:  |  ((ground-*@set)«ground)-*truthval  1 )) 

14.  (defax  disjoint  iVn  setseq. disjoint (setseq,0) A 

disjoint (setseq,nO  =  (disjoint(setseq,n)Adisj_pair(un(setseq,n)  ,setseq(n)))  I  ) 
(label  disjointdef) 


8.16.1.  Bound  Quantifiers. 


(proof  allnumprop) 

;we  can  easily  prove  that  'allnum^  does  its  job 

1.  (ue  (a  |An.allnum(n,a)3(m<n3a(m)) I)  proof_by_induction 

(use  transitivity_of ^order)  (use  successorl)  (open  allnum) 
(use  less.succ.lesseq  normal  mode:  exact)  (open  lesseq)) 
;VN.ALLKUM(N,A):)(M<NDA(M)) 

2.  (ue  (a  I  An. (Vm.m<nDa(m))3allnum(n,a) I )  proof ^by_induction 

(open  allnum)  (use  normal  mode:  always) 

(use  less_succ_lesseq  mode:  exact)  (open  lesseq)) 
;VN.(VM.M<N3A(M))DALLNUM(N,A) 

3.  (derive  | Vn. (Vm.m<n0a(m) )sallnum(n ,a) I  (*-2)) 

;similarly  for  ‘somenum’: 

4.  (ue  (a  I An.somenum(n,a)3(3m.m<nAa(m)) I )  proof ^by_induction 

(use  transitivity. of ^order)  (use  successorl)  (open  somenum) 
(part  1  (der)) 

(use  less.succ. lesseq  normal  mode:  exact)  (open  lesseq)) 
;VN.S0KENUH(N,A)3(3H.M<NaA(M)) 

5.  (ue  (a  1  An. (3m.m<nAa(m))3somenum(n,a) I)  proof.by.induction 

(open  somenum)  (use  normal  mode:  always)  (part  l(der)) 

(use  less. succ. lesseq  mode:  exact)  (open  lesseq)) 

;VN. (3M.M<NAA(M))3S0MENUTKN,A) 

6.  (derive  1 Vn. (3m.m<nAa(m) )ssomenum(n,a) I  (*  -2)) 


8.16.2.  Facts  About  Sums  and  Unions. 


(proof  unionprop) 

;a  property  of  union 
;unionfactl 

1.  (ue  (a  lAn.m<n3(Vxv.(setseq(m))(xv)D(un(setseq,n))(xv)) 1) 
proof .by. induct ion 

(open  un  union)  (use  less.succ. lesseq  mode:  always) 
(open  lesseq)  (use  normal  mode:  always)) 
:VN.M<N3(VXV.(SETSEQ(M))(XV)D(UN(SETSEQ,N))(XV)) 


About  Permutations  in  Lisp  and  EKL 


;naniely : 

(trw  iVsetseq  n  m.m<n3setseq(m)Cun(setseq ,n) I  *  (open  inclusion)) 
(label  unioniactl)  ■ 

;a  property  ol  sum 

;sumsort 

(ue  (a  I An.allnum(n, Am.natnum  numseq(m)) Dnatnum  sum(numseq,n) I ) 
prool^by^induction  (open  allnum  sum)) 

; VH . ALL*roM(N , AM . NATNUM(WUMSEQ (M) ) ) DNATNUM(SUM(NUMSEQ . N) ) 

(rw  *  (use  allnumlact  mode:  exact  direction:  reverse)) 
;VH.(VM.M<NDNATNUM(NUMSEQ(H)))3NAT»im(SlJM(NUMSEQ,N)) 

(label  sumsort)  ■ 

;mksetlact 

(ue  (a  |An.n<length  uO 

(un(Am.mkset(nth(u,m))  ,n))  (x)ssomenum(n,Ak.x=nth(u,)c))  I ) 
proof _by_induct ion 

(part  Kopen  un  mkset  nth  somenum  union  emptyset)  (der)) 

(use  succ^lesseq.lesseq  mode:  always)) 

;VN.N<LEHGTH  U3(UH(AM.MKSET(NTH(U,H)) ,N))(X)sSOHENUM(N,AK.X=»TH(U,K)) 

(rw  *  (use  somenumfact 

ue:  ((a. I Ak .x=nth(u,k) I) (n.n))  mode:  exact  direction:  reverse)) 
;VN.N<LEKGTH  U3(UK(AM .MKSET(NTH(U,M)) .N) ) (X)s(3M.M<MaX=NTH(U.M)) 

(assume  Inllength  u|) 

(ue  (Cav.  |im(An.mkset  nth(u ,m)  ,n)  I  ) 

(bv. I Ax.3k.k<nAnth(u,k)=xl ))  set.extensionality 
(open  epsilon) (use  ♦  ~2  mode:  always)) 
;UW(AM.MKSET(NTH(U.M)),K)=(AX.(3K.K<NaNTH(U,K)=X)) 

(ci  -2) 

;HaENGTH  UDUN(AM.MKSET(NTH(U,H))  ,N)  =  (AX  .  (3K,K<NaHTH(U,K)=X)) 

(label  mksetlact)  ■ 

;mklset_un 

(ue  (n  I length  u|)  mksetlact 

(use  mklset.lact  mode:  exact  direction:  reverse)  (open  lesseq)) 
;VU.UN(AM.MKSET(NTH(U,M)), LENGTH  U)=MKLSET(U) 

(label  mklset^un)  ■ 
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8.17.  file  MULT:  Multiplicity. 


;the  notion  ol  multiplicity 
(wipe-out) 

(get-prools  sums) 

(proof  multiplicity) 

1.  (dec  1  mult  (type:  |  (ground»eset)-*ground |  ) ) 

2.  (defax  mult  |Vx  u  a.mult (nil,a)=0A 

mult(x.u,a)=if  a(x)  then  mult(u,a)^  else  mult (u, a) I ) 

(label  mult^def) 

;facts  about  multiplicity 

3.  (ue  (phi  I Au.Va.natnum(mult(u,a)) I )  listinduction 

(use  mult_def  mode:  always)) 

(label  simpinlo)  (label  multfact)  ■ 

;multiplicity  is  less  or  equal  to  length 

4.  (ue  (phi  Uu.mult(u,a)<length(u) I )  listinduction 

lesseq„lesseq_succ  (open  mult  length)  (part  l#l(open  lesseq))) 
;VU.MULT(U^A)<LENGTH  U 
(label  length^mult)  ■ 

;if  there  is  a  member,  multiplicity  is  not  zero 

6.  (ue  (phi  lAu.Vy  a.member(y ,u)Aa(y)30<mult(u,a) I )  listinduction 
(open  mult  member)  (use  normal  mode:  always)) 

;VU  Y  A.MEMBER(Y,U)AA(Y)D0<MULT(U,A) 

6,  (rw  *  use  less^lesseqsucc  mode:  always)) 

;VU  Y  A.MEMBERa,U)AA(Y)31<MULT(U,A) 

(label  member.mult)  ■ 

;multiplicity  of  the  emptyset 

7.  (ue  (phi  lAu.mult(u,emptyset)=0!)  listinduction 

(part  l(open  emptyset  mult))) 

; VU . MULT (U ,EMPT YSET) =0 

(label  simpinfo)  (label  emptyfacts)  ■ 

;mult_nthcdr 

;we  prepare  a  rewriter 

8,  (ue  ((q.  lmult(nthcdr(u,nO  ,a)  ^<mult(u,a)  I ) 

(r.  lmult(nthcdr(u,nO  ,  a)<mult  (u,a)  I  ) 

(p  Ja(nth(u,n))  I ))  trans_cond 
(use  succ_lesseq_lesseq  ue :  ((m. |mult(nthcdr(u,n’) ,a) 1) 

(n. Imult(u,a) I ))  mode:  exact  )) 

;(IF  A(NTH(U,N))  THEN  MULT(NTHCDR(U,» O , A) » <MULT(U,A) 

;  ELSE  MULT ( NTHCDR (U , N  O  , A ) <MULT (U , A) ) DMULT (NTHCDR (U , N  O , A) <MULT (U . A ) 

; conclusion 

9.  (ue  (a  lAn.Va  u.n<length(u)Dmult(nthcdr(u,n),a)<mult(u,a)l)  proof 3y_induction 

(part  1#1  (open  lesseq))  succ^less.less 

(part  1#2#1#1  (use  nthcdr_car_cdr  mode:  always)) 

(open  mult)  *  ) 

;VN  A  U.N<LENGTH  U3MULT(NTHCDR(U,N) ,A)<MULT(U, A) 

(label  mult_nthcdr)  ■ 
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8.17 


.1.  Multiplicity  Implies  Injectivity. 


(prool  mult inj_ computation) 

;a  sublemma  to  compute  multiplicity 

1.  (assume  jj<length  v|) 

(label  mcO) 

2.  (assume  |i<jl) 

(label  mcl) 

3.  (assume  |ntli(v ,i)=nth(v , j)  1 ) 

(label  mc2) 

4.  (derive  |i<length  v|  (mcO  mcl  transitivity^of^order) ) 

(label  mc3) 

;deps:  (mcO  mcl) 

;labels:  NTH.IN.NTHCDR 

;VU  N  M.N<HAM<LENGTH  UDMEMBER(NTH(U,M) ,NTHCDR(U,N)) 

5.  (ue  ((u.v)(n.  jiM)(m.  j))  nth_in_nthcdr  mcO  mcl 

(use  less.lesseqsucc  mode:  exact  direction:  reverse)) 

; MEMBER ( NTH ( V , J ) . NTHCDR ( V , I O ) 

(label  mc4) 

;deps:  (MCO  MCI) 

; labels:  MEMBER.MULT 

;VU  Y  A.MEMBER(Y,U)AA(Y)D1<MULT(U,A) 

6.  (ue  ((u. Inthcdr(v ,iO I ) (y . Inth(v, j) I ) (a. Imkset  nth(v,j)I))  member^mult 

(part  Kopen  lesseq  mkset))  mc4 

(use  mc2  mode:  exact  direction:  reverse)) 

;  1<MULT(NTHCDR( V , I ' ) ,MKSET(NTH( V . I) ) ) 

(label  mc5) 

;deps:  (MCO  MCI  MC2) 

7.  (trw  |n<mult (nthcdr(v ,i' ) ,mkset  nth(v ,i))On’<mult (nthcdr(v,i) , mkset  nth(v,i))l 

(open  mult  mkset) (use  nthcdr_car_cdr  mc3  mode:  exact)) 

; N <MULT (NTHCDR ( V , I O , MKSET ( NTH ( V , I ) ) ) 3N  ^  <MULT ( NTHCDR ( V , I ) . MKSET (NTH ( V , I ) ) ) 
;deps:  (MCO  MCI) 

8 .  (ue  (n  111)  *  mc5) 

; 2  <MULT ( NTHCDR ( V , I ) , MKSET ( NTH ( V , I ) ) ) 

(label  mc6) 

;deps:  (MCO  MCI  MC2) 

; labels:  MULT.NTHCDR 

;VA  U  N.N<LENGTH  UDMULT(NTHCDR(U,N) , A)<MULT(U, A) 

9.  (ue  ( (n.i) (u.v) (a. Imkset  nth(v,i)|))  mult^nthcdr  mc3) 

;MULT(NTHCDR(V,I) ,MKSET(NTH (V , I ) ) ) <MULT(V ,MKSET(NTH(V , I) ) ) 

;deps:  (MCO  MCI) 

; labels:  TRANS.LESSEQ 
;VN  M  K. N<MAM<K3N<K 

10.  (ue  ( (n. I  2 1 ) (m. Imult(nthcdr(v ,i) ,mkset  nth(v, i) ) I ) (k . Imult (v ,mkset  nth(v»i))|)) 

trans.lesseq  mc6  *  ) 

;  2<MULT(V , MKSET (NTH(V , I) ) ) 

;deps:  (MCO  MCI  MC2) 


11.  (ci  (mcl  mcO  mc2)) 

;I<JAJ<LENGTH  V ANTH(V , I) =NTH(V , J) 32<MULT( V ,MKSET( NTH (V , I) ) ) 


(label  multinj^computation) 


;lemma  multiplicity  implies  injectivity 
(prooi  mult.inj) 

1.  (assume  |Vk.k<length  v3mult(v,mkset(nth(v,k)))=l I ) 
(label  mil) 

2.  (assume  li<length  vAj<length  vAnth(v,i)=nth(v, j) I) 
(label  mi2) 

3.  (ue  ((v.v)(i.i) (j . j))  multinj_computation  mi2 

(use  mil  ue:  ((k.i))  mode:  exact) (open  lesseq)) 

;deps:  (Mil  HI2) 

4.  (ue  ((v.v)(i  .  j)(j .i))  multinj^computation  mi2 

(use  mil  ue:  ((k,j))  mode:  exact)(open  lesseq)) 
;nJ<I 

;deps:  (Mil  MI2) 

5.  (derive  I i= j  I  (trichotomy  *  -2)) 

;deps:  (Mil  MI 2) 

6.  (ci  mi2) 

;I<LENGTH  VaJ<LENGTH  VaKTH(V , I)=NTH(V , J) DI=J 
;deps:  (Mil) 

7.  (trw  iinj  v|  (open  inj)  ♦  ) 

;INJ(V) 

;deps:  (Mil) 

8.  (ci  mil) 

;(VK.K<LENGJH  VDMULKV  ,HKSET(NTH(V  .K) )  )==1) 3INJ(V) 
(label  murt^>inj)  ■ 


17.2.  The  Multiplicity  of  Union  is  the  Sum  of  Multiplicities. 


;Lemma:if  the  union  is  disjoint,  then  the  multiplicity  of  the  union  is 
;the  sum  of  the  multiplicities 

(proof  multsum) 

1.  (ue  (phi  |Au.  disj_pair(a,b)3mult(u,aub)=mult(u,a)+mult (u,b) I ) 

listinduction 

(part  1  (open  mult  union  disj^pair  emptyp  intersection) 

(use  normal  mode:  always)) 

(part  1  (der))  ) 

;VU.DISJ^PAIR(A,B)DHULT(U,AUB)=MULT(U,A)+MULT(U,B) 

(label  multsum)  ■ 

2.  (ue  (a  1 An.dis joint(s€tseq,n)3 

mult (u,un(setseq,n))=sum(Axl .mult(u,setseq(xl)) ,n) I ) 
proof _by_induct ion  (open  disjoint  un  sum  mult  )  multfact 
(use  multsum  mode:  exact)  (use  normal  mode:  always)) 
;VN.DISJ0INT(SETSEQ.N)DMULT(U,UN(SETSEQ,N))=SUM(AX1 .MULT(U,SETSEQ(X1)) ,N) 
(label  mult_of _un_is_sum_mult)  ■ 
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8.18.  file  PIGEON:  the  Pigeon  Hole  Principle  in  II  Order  Arithmetic. 


(ffipe-out) 

(get-prools  sums) 

(proof  pigeonfact) 

1.  (assume  iVn.natnum  f(n)() 

(label  sortl) 

2.  (ue  ((numseq.  lAk.l (k)  IXn.n))  sumsort  *  ) 

;NATNUM(SUM(AK.F(K),N)) 

(label  sort2) 

3.  (ue  (a  I An.allnum(n,Ak.l<l(k))Dn<sum(Ak.l(k) ,n) 1 ) 

proof  3y«induction 

(open  allnum  sum)  zeroleast  (use  sortl  sort2  mode:  always) 

(use  add.lesseq  ue:  ((n.n) (k. If (n) I) (m. jsum(Ak.f (k) ,n) I ))  )) 

(label  strictly^increasing) 

;VN.ALLirUM(N,AK,l<F(K))DH<SUM(AK.F(K)  ,N) 

;deps:  (SORTl) 

4.  (ue  (a  I An,allnum(n,Ak.l<f (k))Asum(Ak.f (k) ,n)=n3allnum(n,Ak.l=f (k)) I ) 

proof ^by^induction 

(open  allnum  sum)  strictly_increasing  sortl  sort2 
(use  add _ one 

ue:  ((k. If (n) I) (n.n)(m. lsum(Ak.f (k) ,n) i ))  mode:  always)) 
;VN.ALLNUM(N,AK.l<F(K))ASUM(AK.F(K),N)=IfDALLHUM(N.AK.l=F(K)) 

;in  more  conventional  notation: 

5.  (rw  ♦  (use  allnumfact  ue :  ((a, I Ak. l<f (k) j)(n.n)) 

mode:  always  direction:  reverse) 

(use  allnumfact  ue :  ( (a. I Ak. l=f (k) | ) (n.n) ) 
mode:  always  direction:  reverse)) 
;VN.(VM.M<ND1<F(M))ASUM(AK.F(K) ,N)=N3(VM.M<HD1=F(M) ) 

;deps:  (SORTl) 

6.  (ci  sortl) 

;(VN.NATNUM(F(N)))D 

;(VN.(VM.M<NDl<F(M))ASUM(AK.F(K),ir)=N3(VM.M<M31=F(M))) 

; application  to  lists 
(proof  pigeonlist) 

1.  (assume  | disjoint (setseq , length  u) I ) 

(label  pll) 

multiplicity  less  than  length 

2.  (ue  ( (u.u) (a.  |un(setseq, length  u)I))  lengthmult) 

; MULT CU,UN(SETSEQ» LENGTH  U))<LENGTH  U 

(label  pl2) 

3.  (derive  I sum(Am.mult (u,setseq(m)) ,length  u)<length  u| 

(mult_of _un.is_sum_mult  pll  pl2)) 

(label  pl3) 

4.  (ue  ((f .  I  Am.mult(u,setseq(m))  I)  (n.  Ilength  uD)  pigeonfact  pl3  multfact) 
;(VM.M<LENGTH  UD1<MULT(U,SETSEQ(M)))D(VM.H<LENGTH  UD1==MULT(U,SETSEQ(M)) ) 
;deps:  (PLl) 

;the  pigeon  hole  principle  on  lists 

5.  (ci  pll) 
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;DISJOINT(SETSEQ,LEHGTH  U)D 

;  ( (VM . M<LENGTH  tJ3 1  <MULT (U , SETSEQ (M) )  )  3 ( VM .M<LEMGTH  U3 1=MULT  (U ,  SETSEQ (M) ) )  ) 
(label  pigeonlist)  ■ 


file  ALPIG:  Application  to  Alists  1:  Disjointness. 


;first  application:  to  alists.  Lemma :inj  implies  disjoint 
(ffipe-out) 

(get'prools  appal) 

(proof  inj_disj) 

;a  main  lemma  for  the  induction  step 

1.  (assume  linj  u|) 

(label  injdsjO) 

2.  (rw  *  (open  inj)) 

(label  injdsjl) 

;VN  M.N<LENGTH  UAM<LENGTH  UaNTH(U,N)=NTH(U,M)3N=M 

3.  (assume  ln<length  u|) 

(label  injdsj2) 

4.  (assume  } (un(Am.mkset (nth(u ,m) ) ,n))(xv)A(mkset(nth(u,n))) (xv) 1 ) 
(label  injdsjS) 

;need  mksetfact 

5.  (ue  ((u.u)(n.n))  mksetfact  (open  lesseq)  injdsj2) 
;UW(AM.MKSET(NTH(U,M)),N)=(AX.(3K.K<NANTH(U,K)=X)) 

6.  (rw  injdsjS  (use  ♦  mode:  exact)  (open  mkset)  injdsj2) 

; (3K . K<NANTH (U , K) =XV) AXV=NTH (U . K) 

(label  injdsj4) 

7.  (define  kv  i3cv<nAnth(u,kv)=xv|  (use  *)) 

(label  injdsjS) 

8.  (derive  ! ]cv<length  uAnth(u,kv)=nth(u,n)  I 

(♦  injdsj2  transitivity^of _order) 

(use  injdsj4  mode:  always  direction:  reverse)) 

9.  (derive  |kv=nl  (injdsj2  *  injdsjl)) 

10.  (rw  injdsjS  (use  ♦  mode:  exact)  irref lexivity^ol_order) 

; FALSE 

;deps:  (INJDSJO  INJDSJ3  INJDSJ2) 


11.  (ci  injdsjS) 

;-.((UN(AM.MKSET(HTH(U,M)),N))(XV)A(MKSET(NTH(U,N)))(XV)) 

12.  (ci  (injdsjO  injdsj2)) 

;INJ(U)AN<LENGTH  UJ-i((UN(  AM  .MKSET (NTH (U,M))  ,N)  )  (XV)  A(MKSET(NTH  (U,  N)  )  )  (XV)  ) 
(label  injdsj_lemma) 

;the  theorem  follows 

13.  (ue  (a  lAn.inj(u)An<length(u)3disjoint(Am. mkset  nth(u ,m) ,n) 1 ) 

proof _by_induct ion 

(open  disjoint  disj_pair  intersection  emptyp) 

(use  less^lesseqsucc  mode:  always  direction:  reverse) 

(use  injdsj.lemma  mode:  always) (part  1#2#1#1  (open  lesseq))) 
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;VN.INJ(U)aN<LENGTH  UDDISJ0INT(AM.MKSET(NTH(U,M)) ,N) 

14.  (ue  (n  1  length  ul)  *  (open  lesseq)) 

;  INJ (0)  DDIS J0INT( AM . MKSET (NTH (U ,M) ) , LENGTH  U) 

(label  inj^disj)  ■ 


8.20.  Application  to  Alists  2:  the  Multiplicity  is  Positive. 


;the  sets  in  the  sequence  have  positive  multiplicity 
(prool  perinutp_injectp_lenmia) 

1.  (assume  Imklset  u=mklset  v|) 

(label  pill) 

2.  (assume  jn<length  u|) 

(label  pil2) 

;use  nthmember 

3.  (trw  |nth(u,n)€  mklset  u|  (open  epsilon  mklset) 

nthmember  pil2) 

;NTH(U,N)€MKLSET(U) 

;deps:  (PIL2) 

;now  use  line  pill 

4.  (rw  *  (use  pill  mode:  exact)) 

;NTH(U,N)€MKLSET(V) 

;deps:  (PILl  PIL2) 

;Finally,  u^^g  MKLSET-FACT,  we  prove  the  existence  ol  a  kv  such  that 
;nth(v ,kv)=nth(u,n) 

.•labels:  MKLSET-FACT 

;VU.MKLSET(U)=(AX. (3K.K<LENGTH  UANTH(U,K)=X) ) 

5.  (rw  *  (use  mklset_lact  mode:  exact)  (open  epsilon  mkset)) 

;3K.K<LENGTH  VANTH(V ,K)=NTH(U,N) 

;deps:  (PILl  PIL2) 

6.  (define  kv  I kv<length(v) AnthCv, kv)=nth(u ,n) I  ♦  ) 

(label  pil3) 

;deps:  (PILl  PIL2) 

7.  (trw  (member (nth(v ,kv) ,v) !  nthmember  pil3) 

;MEMBER(NTH(V,KV),V) 

(label  pil4) 

;Therefore  the  set  mkset (nth(u,n))  has  positive  multiplicity  in  v, 

; labels:  MEMBER-MULT 

;VU  Y  A.MEMBER(Y.U)AA(Y)D1<MULT(U,A) 

8.  (ue  ((u.v)(y. |nth(v,kv) I )(a. Imkset  nth(u,n)l))  member-mult 

(part  Kopen  mkset))  pil2  pil4  (use  pil3  mode:  always)) 

; 1<MULT(V ,HKSET(NTH(U.N) ) ) 

;deps:  (PILl  PIL2) 

9.  (ci  (pill  pil2)) 

;MKLSET(U)-MKLSET(V)aN<LENGTH  U31<MULT(V  ,MKSET(NTH(U.N) ) ) 


;  cosmetics 
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10.  (derive  IVu  v.mklset  u=inklset  v3(Vin.m<length  u31<mult(v,mkset  nth(u,m)))l  *  ) 
(label  p€rmutp_injectp_lenuna)  ■ 


8.21,  Application  to  Alists  3:  Multiplicities  in  Dom  and  Range. 


; lemma  mult_mult 

(prool  mult_mult) 

1.  (assume  jmklset  u  =  mklset  v|) 

(label  mml) 

2.  (assume  |Vm.m<length  u  3  mult(v,mkset  nth(u,m) )=1 I ) 

(label  mm2) 

3.  (assume  IKlength  v|) 

(label  mm3) 

4.  (trw  lnth(v,i)  €  mklset  vl  (open  epsilon  mklset) 

(use  ♦  nthmember  mode:  exact)  ) 

;NTH(V,I)€MKLSET(V) 

5.  (rs  *  (use  mml  mode:  exact  direction:  reverse)) 
;NTH(V,I)€MKLSET(U) 

6.  (rw  *  (use  mklset_lact  mode:  exact)  (open  epsilon)) 

;3K.K<LENGTH  UANTH(U,K)=NTH(V , I) 

7.  (deline  mv  |mv<length  u  Anth(u,mv)='nth(v ,i)  I  ♦  ) 

(label  mm4) 

;MV  is  unknown, 

;the  symbol  MV  is  given  the  same  declaration  as  H 
;deps:  (MMl  MM3) 

8.  (ue  (m  mv)  mm2  (use  ♦  mode:  always)) 

;MULTCV,MKSET(NTH(V, !)))=! 

;deps:  (MHl  MM2  MM3) 

9.  (ci  mm3) 

;  KLENGTH  VDMULT(V  ,MKSET  (NTH(V ,  I)  )  )=1 
;deps:  (MMl  MM2) 

10.  (ci  (mml  mm2)) 

; MKLSET (U) =HKLSET ( V) A ( VM . M<LEMGTH  03MULT ( V , HKSET ( STH(U,M) ) ) =1 ) 3 
;  ( KLENGTH  V 3HULT ( V , HKSET (NTH(V,I)))=1) 

(label  mult_mult)  ■ 


8.22,  Application  to  Alists:  a  Permutation  is  an  Injection. 

;the  main  result  lor  permutp:  theorem  permutp_injectp 
(prool  permutp_injectp) 

1.  (assume  i permutp  alisti) 

(label  permutp_ihjectpl) 

2.  (rw  ♦  (open  permutp)) 

;FUNCTP(ALIST)aMKLSET(DOM(ALIST))=MKLSET(RANGE(ALIST)) 
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(label  permutp_injectp2) 

(rw  *  (open  lunctp)) 

;UNIQUENESS(DOM(ALIST))aMKLSET(DOMCALIST))=MKLSET(RANGE(ALIST)) 
(label  permutp_injectp3) 


;first  step:  disjointness  ol  a  suitable  sequence  ol  sets 

; labels:  UK I QUEHESS. INJECTIVITY 
;VU.UNIQUENESS(U)slNJ(U) 

;labels:  INJ.DISJ 

;VU.INJ(U)DDISJOINT(AM.MKSET(NTH(U,M)) , LENGTH  U) 

(derive  I inj (doffi(alist)) I  (*  uniqueness_injectivity)) 

;deps:  (PERMUTP. INJECTED 

(derive  |disjoint(Am.mkset(nth(dom(alist)  ,m))  , length  (dom(alist)) )  I 
(*  inj^disj)) 

(label  permutp„injectp4) 


jsecond  step:  multiplicity  ol  the  sets  in  the  sequence  is  positive 
; labels:  PERMOTP_ INJECT? _LEMMA 

;VU  V.MKLSET(U)=MKLSET(V)J(VM.M<LENGTH  UJ1<HULT(V ,HKSET(NTH(U.M)))) 

(ue  ((u-ldom  alist  |)(v.  Irange  alistj))  permutp_injectp_leinma 
(permutp_injectp3  permutp_injectp4) ) 

;VM.M<LENGTH  (DOM(ALIST) )D1<MULT(RANGE(ALIST) .MKSET(NTH(DOM(ALIST) ,M))) 
(label  permutp.injectpS) 


; third  step:  application  ol  the  pigeon  hole  principle 
;labels:  PIGEONLIST 

;VSETSEQ  U.DISJOINT(SETSEQ , LENGTH  U) A(VK .K<LENGTH  U31<lfULT(U.SETSEQ(K) ) )D 
;  (VK.K<LENGTH  UD1=MULT(U,SETSEQ(K))) | ) 

;need  also 

;  labels :  DOHRAHGELENGTH 

;VALIST. LENGTH  (DOM(ALIST) )=LENGTH  (RANGE(ALIST)) 

(ue  ((setseq. Um.mkset  nth(dom  alist ,m) I ) (u. Irange  alist!))  pigeonlist 
(use  domrangelength  mode:  exact  direction:  reverse) 
permutp_injectp4  permutp_injectp5) 

;VK.K<LENGTH  (DOM(ALIST) ) D1=MULT(RANGE(ALIST)  ,MKSET(NTH(1)0M(ALIST)  ,K))) 
;lourth  step:  injectivity 
; labels:  MULT.MULT 

;VU  V.MKLSET(U)=MKLSET(V)A(VK.K<LENGTH  UDHULT(V ,MKSET(HTH(U,K) ))=D3 
;  ( VI .  KLENGTH  V3MULT (  V » MKSET ( NTH  (  V ,  I )  )  ) =1 ) 

(ue  ((u. Idom(alist) I) (v, Irange(alist) 1))  mult.mult 
permutp.injectp3  ♦  ) 

;VI. KLENGTH  (RANGE(ALIST)) 3MULT(RANGE(ALIST) ,MKSET(NTH(RAHGE(ALIST)  , I) ) )=1 
;deps:  (PERMUTP. INJECTED 

; apply  mu It ^ inj 

; labels:  MULT.INJ 

;VV.(VK.K<LENGTH  VDMULT(V ,MKSET(NTH(V  ,K)  ))^D3INJ(V) 


(ue  (v  Irange  alist!)  mult^inj  *  ) 
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;INJ(RANGE(ALIST)) 

Ideps:  (PERMUTP.INJECTPl) 

10.  (derive  |uniqueness(range  alist)l  (»  uniqueness. injectivity)) 
;deps:  (PERMUTP.INJECTPl) 

11.  (derive  linjectp  alisti  (permutp.injectp2  •)(open  injectp)) 
;deps:  (PERMUTP.INJECTPl) 

12.  (ci  (permutp.injectpl)) 

; PERMUTP ( ALIST) JIN JECTP ( ALIST) 

(label  theorem.permutp.injectp)  ■ 

(save-prools  alpig) 


8.23.  file  LPIG:  Application  to  Lists  1:  Disjointness. 


; Disjointness 

(prool  disjoint .number) 

; lemma  dnl 

1.  (ue  (a  lAn.Vm.Cun((Axv.mkset(xv)) ,n))(m)3m<nj) 

prool _by. induction 

(part  iCopen  mkset  un  emptyset  union)) 

(use  normal  mode:  always) 

(use  successorl  transitivity.ol.order)) 

;VN  M.(UM(AXV.MKSET(XV) ,N)) (M)0M<N 

; lemma  disjoint  number 

2.  (ue  ((n.n)(m.n))  dnl  irrellexivity.ol. order) 

;-i(UN(AXV  .MKSET(XV)  ,M))  (N) 

3.  (trw  |(un(Ayv.mkset(yv),n))(xv)A(mkset(n))(xv)|  *  (part  2(open  mkset))) 
; -,( (UN( AYV .MKSET(YV)  ,  N)  )  (XV)  A(MKSET(N)  )  (XV)  ) 

4.  (ue  (a  |An.disjoint(Axv.mkset(xv),n)|)  prool. by.induction 

(open  disjoint  disj.pair  emptyp  intersection) 

(use  *  mode:  exact)) 

;VN.DISJOINT(AXV.MKSET(XV) ,N) 

(label  disjoint. number)  ■ 


8.24.  Application  to  Lists  3:  Multiplicity  in  the  Range. 


; lemma  into.mult 
(prool  into.mult) 

1.  (assume  !into(u)!) 

(label  iml) 

2.  (assume  !Vk.k<length  u31=mult(u .mkset  k) I ) 
(label  im2) 

3.  (assume  ! i<length  u|) 

(label  im3) 
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4.  (rw  iml  (open  into)) 

;VN.N<LENGTH  U3NATNUM(NTH(U ,N) ) ANTH(U,N)<LENGTH  U 
;deps:  (IMl) 

5.  (ue  (k  jnth(u,i)|)  im2  (use  im3  *  mode:  exact)) 

;  1  =?WLT  (U ,  MK  SET  (NTH  (U ,  I)  )  ) 

;deps:  (IMl  IM2  IMS) 

6.  (ci  imS) 

;I<LENGTH  UD1=MULT(U,MKSET(NTH(U, I)) ) 

;deps:  (IMl  IM2) 

7.  (ci  (iml  im2)) 

;  INTO(U) A  (VK  .  K<LENGTH  UD1=MITLT(U,MKSET(K) )  )  D 
;  ( KLENGTH  UD1=MULT(U ,HKSET (NTH (U ,  I)  )  )  ) 

(label  into_mult)  ■ 


8,25,  Application  to  Lists:  a  Permutation  is  an  Injection. 


;the  main  result  ior  perm 

;a  straightlorward  application  of  pigeon  hole  to  onto  lists 

(proof  perm_inj) 

;VU.PERM(U)DINJ(U) 

1.  (assume  Iperm  ul) 

(label  perm.injl) 

2.  (rw  ♦  (open  perm  onto)) 

; INTO (U) A (VN . N<LENGTH  U3HEMBER(K ,U) ) 

(label  perm.inj2) 

; labels:  MEMBER.MULT 

;VTJ  Y  A.HEMBER(Y,U)aA(Y)31<MULT(U.A) 

3.  (ue  ( (u .u) (y .n) (a . Imkset  n|))  member_mult 

(part  Kopen  mkset))) 

;MEHBER(N,U)D1<HULT(U,MKSET(N)) 

4.  (derive  |Vn.n<length  u31<mult (u , mkset  n) I  (perm_inj2  *)) 

(label  onto.mult) (label  perm_inj3) 

;deps:  (PERM^INJl) 

5.  (ue.  ( (setseq . I Axv . mkset (xv) I ) (u .u) )  pigeonlist  disjoint  number  perm  ini 3) 
;VK.K<LENGTH  U3 1=MULT(U, MKSET (K ) ) 

(label  perm_inj4) 

;deps:  (PERM^INJl) 

; labels:  INTO.MULT 

; VU.  INTO(U) A (VK . K<LENGTH  U3 1=HULT(U, MKSET (K ) ) ) 3 
;  (VI. KLENGTH  U31=MULT(U,MKSET(NTH(U,I)))) 

6.  (derive  |Vi.i<length  u31=mult(u,mkset(nth(u,i))) |  (into.mult  perm  inj2  *)) 
;deps:  (PERM^INJl) 

; labels:  MULT.INJ 

;VV,(VK.K<LENGTH  V3HULT(V,MKSET(NTH(V.K)))=1)3INJ(V) 

7.  (ue  (v  u)  mult_inj  *  ) 

:iNJ(u) 

;deps:  (PERM^INJl) 
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8.  (ci  perm.injl) 
;PERM(U)3INJ(U) 

(label  perm_injectvity) 

(save-prool  Ipig) 


8.26.  Operations  on  Functions  Represented  by  Association  Lists. 


;the  approach  using  association  lists 
(wipe-out) 

(get-prools  appal) 

(proof  assoc) 

1.  (decl  (compalist)  (infixname:  I  ml)  (type:  |  grouiid^ground-*ground  1 ) 

(syntype:  constant)  (bindingpower:  930)) 

2.  (delax  compalist 

IValistl  alist2  xa  y.nil  oo  alist2=nilA 

((xa.y) .alistl)  m  alist2= 

(xa. appalist(y ,alist2) ) . (alist 1  m  alist2)l) 

(label  compalistdel ) 

3.  (decl  invalist  (type:  |g round-* gr oundl ) ) 

4.  (defax  invalist 

IValist  xa  y. invalist  nil=nilA 

invalist((xa.y) .alist)=(y .xa) . invalist  alistl) 

(label  invalistdef) 

5.  (decl  idalistp  (type:  |ground-*truthval I ) ) 

6.  (defax  idalistp 

IValist  xa  y .idalistp(nil)A 

(idalistp((xa.y) .alist)=xa=yAidalistp  alist) I) 

(label  idalistpdef) 


8.26.1.  file  ASSOC:  Functions  Represented  by  Association  Lists. 


(proof  alistprop) 
iprove  sorts 
; compalist  sort 

1.  (ue  (chi  I  Aalist.alistp(alist  (D  alistl)  1)  alist  induction 

(part  Kopen  compalist)  (use  appalistsort  mode:  exact))) 
jVALIST.ALISTP  ALIST  o  ALISTl 

(label  simpinlo)  (label  compalistsort)  ■ 

; invalistsort 

2.  (ue  (chi  | Aalist . allp( Ax . atom  x , range  alist )3alistp  invalist (alist) | ) 

alistinduct ion  (open  range  member  invalist) 

(use  allpfact  ue;  ((phi. I  Ax. atom  xl)(x.y)(u. Irange  alistl))  mode:  always)  ) 
;VALIST.ALLP(AX.ATOM  X,RANGE(ALIST))DALISTP  INVALISK ALIST) 

(label  invalistsort)  ■ 


;prove  facts  about  composition  of  functions 
;three  (of  five)  lemmata 
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;  lemma  1 

3.  (ue  (chi  Ualist .member (x ,dom(alist) ) 3 

appalist (x ,alist  cc  alistl )=appalist (appalist (x ,alist)  ,alistl)  I) 
alistinduction 

(part  Kuse  appalistdef  mode:  always) 

(open  dom  member  compalist  assoc)) 

(use  normal  mode:  always)) 

;VALIST.MEMBER(X,D0M(ALIST))3 

;  APPALIST(X,ALIST  oo  ALIST1)=APPALIST(APPALIST(ALIST ,X) , ALISTl) 

(label  alist^lemmal)  (label  app_corapalist)  ■ 

;  lemma  2 

4.  (ue  (chi  ( Aalist  .domCalist  oo  alist  l)=dom(alist )  I ) 

alistinduction 
(open  compalist  dom)) 

;VALIST,DOM(ALIST  oo  ALISTl)  =D0M(ALIST) 

(label  alist_lemma2)  (label  dom_compalist)  ■ 

; compalist  lemma 

5.  (ue  (chi  I  Aalist  .-imember(za ,  range  alist)3alist  oo  ((za.z)  .alistl)=alist  oo  alistll) 

alistinduction 

(open  member  range  compalist  appalist  assoc)  (use  demorgan  mode:  always)) 
;VALIST.iMEHBER(ZA,RANGE(ALIST))3ALIST  oo  (  (ZA .  Z)  .  ALIST1)=ALIST  oo  ALISTl 
(label  compalist.lemma)  ■ 

;samemap  right 

6.  (ue  (chi  | Aalist .samemap(alistl  ,alist2)3alist  go  alistl=alist  oo  alist2l) 

alistinduction 

(part  Kuse  samemap_defl  mode:  exact)) 

(part  Kopen  compalist  samemap))) 

;VALIST.SAMEMAP(ALIST1,ALIST2)3ALIST  oo  ALIST1=ALIST  m  ALIST2 
(label  samamap^right)  ■ 

;prove  a  fact  about  the  identity  function 

;idalistp_main 

7.  (ue  (chi  | Aalist ,idalistp(alist)Amember(y, dom  alist)3appalist(y ,alist)=y I ) 

alistinduction 

(open  idalistp  appalist  assoc  member  dom)  (use  normal  mode:  always)) 
;VALIST.IDALISTP(ALIST)AMEMBER(Y,D0M(ALIST))3CDR  ASS0C(Y ,ALIST)=Y 
(label  idalistp.main)  ■ 

;prove  facts  about  inversion  of  functions 

;dom  invalist 

8.  (ue  (chi  I Aalist .allp(Ax . atom  x, range  alist)3dom  invalist (alist)=range  alisti) 

alistinduction  (open  dom  range  invalist)  (use  invalistsort) 

(use  allpfact  ue:  ( (phi . I  Ax . atom  x I ) (x.y) (u . 1  range  alisti))  mode:  always)  ) 
;VALIST.ALLP(AX.ATOM  X ,RANGE(ALIST)) 3D0M(INVALIST(ALIST))=RANGE(ALIST) 

(label  dom^invalist)  ■ 

; range  invalist 

9.  (ue  (chi  1 Aalist .allp(Ax . atom  x, range  alist)3range  invalist (alist)=dom  alisti) 

alistinduction  (open  dom  range  invalist)  (use  invalistsort) 

(use  allpfact  ue :  ( (phi . ! Ax . at om  x I ) (x .y) (u . I  range  alisti))  mode:  always)  ) 
;VALIST.ALLP(AX.ATOM  X,RANGE(ALIST))3RANGE(INVALIST(ALIST))=D0M(ALIST) 

(label  range^invalist )  ■ 
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8.26.2.  Lemma  Nonempty  Range. 


(proof  noncmpty.range) 

; lemma  3 

5.  (ue  (chi  lAalist .member (x.dom  alist)3somep(Ay .appalist(x ,alist)=y .range  alist)l) 

alist induct ion 

(part  1  (open  dom  somep  range  member  appalist  assoc)) 

(use  normal  mode:  always)) 

; VALIST .MEHBER(X , D0M( ALIST) ) DSOHEP (AY . APPALIST(X , ALIST) =Y  .RANGE (ALIST) ) 

6.  (rw  ♦  (use  somepfact  mode:  exact)) 

; VALIST .HEMBER(X ,D0H( ALIST) ) 0 

(3X1 .MEMBER(X1,RAHGE(ALIST))AAPPALIST(X,ALIST)=X1) 

(label  nonempty .range)  ■ 


8.26.3.  Lemma  Nonempty  Domain. 

This  lemma  says  that  if  z  belongs  to  raiige(alist),  then  there  is  an  x  in  dom(alist)  such 
that  appalist (x, alist)  =  z.  As  noticed  above,  this  requires  the  fact  that  alist  represents  a 
function,  i.e.  that  dom(alist)  has  the  uniqueness  property,  for  if  some  (x  zl)  occurs  in  alist 
before  (x  z),  with  zl#z,  then  appalistCx, alist)  will  give  zl  as  value. 

;  lemma  4 

(proof  nonempty_domain) 

1.  (assume  luni(jueness  dom ( alist )  Amember (2  , range  alist)  3 

(3x. member (x, dom  alist)Aappalist(x,alist)=z) I) 

(label  lem41) 

2.  (assume  | uniqueness  dom( (xa.y) . alist) 1 ) 

(label  lem42) 

3.  (rw  *  (open  uniqueness  dom)) 

;nMEMBER(XA, DOM (ALIST) )AUNIQUENESS(DOH(ALIST)) 

(label  lem43) 

;deps:  (LEM42) 

4.  (assume  1  member (z,range( (xa.y) .alist)) 1) 

(label  lem44) 

5.  (rw  *  (open  range  member)) 

;  Z=YVHEMBER(Z  yRANGE (ALIST) ) 

(label  lem45) 

;deps:  (LEM44) 

We  use  the  last  line  for  a  proof  by  cases.  The  first  case  follows  by  e.xpanding  the  definitions. 

6.  (assume  lz=yj) 

7.  (trw  13x1 .member(xl ,dom((xa.y) .alist))Aappalist(xl ,(xa.y) .alist)=z! 

(open  dom  member  appalist  assoc)  (use  *  mode:  exact)) 

;3X1.MEMBER(X1,D0M((XA.Y).ALIST))AAPPALIST(X1,(XA.Y).ALIST)=Z 

(label  lem46) 
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We  use  tlie  assumption  of  the  second  case  and  the  induction  hypotliesis  (line  1)  to  get  an 
element  .r-  in  the  inverse  image  of  z  (line  9);  then  we  use  the  assumption  of  ui)i(jii(:iies.<  (lines  2 
and  3)  to  show  that  ^  xa  (line  10)  and 


appalist(.T-,  (xa.y)  .alist)  =  appalistf.r; ,alist)  =  r 


(line  11). 

8.  (assume  | member (z ,range( alist)) | ) 

(label  lem47) 

9.  (define  xxv  1  member (xxv,dom  alist)Aappalist (xxv,alist)=z ! 

(Iem41  lem43  lem47)) 

(label  lem48) 

;deps:  (LEM41  LEM42  LEM47) 

10.  (derive  Jxxv^xal  (lem43  lem48)) 

;deps:  (LEM41  LEM42  LEM47) 

11.  (trw  |appalist(xxv,(xa.y) .alist)=z I  (open  appalist  assoc) 

(use  *  mode:  exact) (use  lem48  mode:  always  direction:  reverse)) 
; APPALIST (XXV , (XA . Y) . ALIST)=Z 
;deps:  (LEM41  LEM42  LEM47) 

12.  (derive 

(3x1 . member (xl ,dom( (xa.y) .alist) )Aappalist(xl , (xa.y) . alist )=z I 
(lem48  *)  (open  dom)  (use  memberdef  mode:  always)) 

(label  lem49) 

;deps:  (LEM41  LEM42  LEM47) 

13.  (cases  lem45  lem46  lem49) 

;3X1.MEMBER(X1.D0M((XA.Y) .ALIST))AAPPALIST(X1 , (XA . Y) . ALIST)=Z 
jdeps:  (LEM41  LEM42  LEM44) 

14.  (ci  (lem42  lem44)) 

;UNIQUENESS(D0M((XA,Y).ALIST))AMEMBER(Z,RANGE((XA.Y) .ALIST))3 
;  (3X1. MEMBER(X1,D0H(  (XA.Y)  .  ALIST) )  AAPPALISKXI  ,  (XA.Y)  .ALIST)=Z) 
;deps:  (LEM41) 

15.  (ci  lem41) 

16.  (ue  (chi  (Aalist .uniqueness  dom(alist)Araember(z, range  alist)3 

( 3x. member (x, dom  alist) Aappal is t  (x , alist )==z)  I ) 
alist induction 

(part  1#1  (open  range  member))  (use  *  mode:  exact)) 
;VALIST.UNIQUENESS(D0M(ALIST))AMEMBER(Z,RANGE(ALIST))3 
;  (3X.MEMBER(X,D0M(ALIST))AAPPALIST(X,ALIST)=Z) 

(label  nonempty ^domain)  ■ 


8.26.4.  Lemma  Range  Compose,  Part  1. 


.'theorem  1  (i);  lemma  range  compose,  part  1 
(proof  range.compose) 

1.  (assume  1 permutp(alist) | ) 

(label  rcl) 

2.  (rw  *  (open  permutp  functp)) 
;UNIQUENESS(DOM(ALIST))aMKLSET(DOM(ALIST))=HKLSET(RANGE( ALIST)) 
(label  rc2) 
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3.  (assume  jmklset  domCalist )=mklset  domCalistl) I ) 

(label  rc3) 

4.  (assume  | member (z , range (alist  oo  alistl))!) 

(label  rc4) 

; apply  lemma  4  and  lemma  2 

5.  (ue  ((alist . 1 alist  m  alistl I ) (z .z) )  nonempty^domain 

(use  dora^compalist  rc2  rc4  mode:  exact)  ) 

;deps:  (RCl  RC4) 

;3X.HEMBER(X,D0M(ALIST))AAPPALIST(X, ALIST  oo  ALIST1)=Z 

6.  (deline  xxvv  |member(xxvv ,dom  alist) Aappalist(xxvv, alist  m  alistl )=zl  ♦  ) 
(label  rc5) 

;deps:  (RCl  RC4) 

; apply  lemma  1 

7.  (rw  ♦  (use  app  compalist  mode:  always)) 

;MEMBER(XXVV, D0M(ALIST))AAPPALIST(APPALIST(XXVV, ALIST) ,ALIST1)=Z 
(label  rc6) 

;deps:  (RCl  RC4) 

; apply  lemma  3 

8.  (define  yyvv  1  member ( yyvv , range  alist )Aappalist (xxvv, alist)=yyvv I 

(nonempty .range  rc6)) 

(label  rc7) 

;deps:  (RCl  RC4) 

9.  (trw  lyyvv  €  mklset  range(alist) I  (open  mklset  epsilon)  rc7) 
;YYVVeMKLSET(RANGE(ALIST)) 

;deps:  (RC;^  RC4) 

10.  (rw  *  (use  rc2  mode:  exact  direction:  reverse) 

(use  rc3  mode:  exact)) 

;YYVV€MKLSET(D0M(ALIST1)) 

;deps:  (RCl  RC3  RC4) 

11.  (rw  ♦  (open  epsilon  mklset)) 

;HEMBER(YYVV ,D0M(ALIST1) ) 

;deps:  (RCl  RC3  RC4) 

; apply  again  lemma  3,  this  time  to  alistl 

12.  (define  zzvv  j member (zzvv, range  alistl)Aappalist (yyvv , alist l)=zzvv | 

(nonempty.range  *)) 

(label  rc8) 

;deps:  (RCl  RC3  RC4) 

13.  (rw  rc6  rc7) 

;MEHBER(XXVV,D0H(ALIST))AAPPALIST(YYVV,ALIST1)=Z 
;deps:  (RCl  RC4) 

14.  (trw  |2zvv=zl  ♦  (use  rc8  mode;  always  direction:  reverse)) 

;ZZVV=Z 

;deps:  (RCl  RC3  RC4) 

15.  (trw  I  member (z, range  alistl) I  rc8  (use  *  mode:  exact  direction:  reverse)) 
; HEMB  ER ( Z , RANGE ( AL 1ST 1 ) ) 

;deps:  (RCl  RC3  RC4) 

16.  (ci  rc4) 

;MEMB£R(Z,RANGE(ALIST  oo  ALISTl) )DHEMBER(2 ,RANGE(ALIST1)) 
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:deps:  (RCl  RC3) 

17,  (trw  Imklset  range(alist  o  allstl)Cmklset  rangeCalistl) I  » 

(open  mklset  inclusion)) 

;HKLSET(RA»GE(ALIST  oo  ALIST1))CMKLSET(RANGE(ALIST1)) 

;deps:  (RCl  RC3) 

18.  (ci  (rcl  rc3)) 

:PERMUTP(ALIST)aMKLSET(D0M(ALIST))=MKLSET(D0M(ALIST1))3 
;HKLSET(RA(IGE(ALIST  oo  ALIST1))C1!KLSET(RANGE(ALIST1)) 


8.26.5.  Lemma  Range  Compose,  Part  2. 


;theorem  1  (i);  lemma  range  compose,  part  2 
(proof  range. compose2) 

1.  (assume  Ipermutp(alist) I ) 

(label  rc21) 

2.  (rw  *  (open  permutp  lunctp)) 
;UNIQUENESS(DOM(ALIST))aMKLSET(DOM(ALIST))=MKLSET(RANGE(ALIST)) 
(label  rc22) 

3.  (assume  Ipermutp(alistl)  I ) 

(label  rc23) 

4.  (rw  *  (open  permutp  lunctp)) 

;UWIQUENESS(D0M(ALIST1)  )  AMKLSET(D0M(ALIST1)  )=MKLSET(RANGE(ALIST1)  ) 
(label  rc24) 

5.  (assume  jmklset  dom(alist)=mklset  dom(alist 1) I ) 

(label  rc25) 

6.  (assume  I  member  (z,  range  alistDl) 

(label  rc26) 

;  apply  lemma  4 

7.  (define  yvl  | member (yvl  ,dom  alistl)Aappalist (yvl ,alistl)==z ! 

(nonempty.domain  rc24  rc26)) 

(label  rc27) 

;deps:  (RC23  RC26) 

8.  (trw  lyvl  €  mJclset  dom(alistl)  I  *  (open  epsilon  mklset)) 
;YV1€MKLSET(D0M(ALIST1)) 

;deps:  (RC23  RC26) 

9.  (rw  ♦  (use  rc25  mode:  exact  direction:  reverse) 

(use  rc22  mode:  exact)) 

;YV1€MKLSET(RANGE(ALIST)) 

;deps:  (RC21  RC23  RC25  RC26) 

10.  (rw  *  (open  epsilon  mklset)) 

;MEMBER(XV1 ,RANGE(ALIST) ) 

(label  rc28) 

;deps:  (RC21  RC23  RC25  RC26) 

; apply  again  lemma  4,  this  time  to  alist 

11.  (define  xvl  |member(xvl , dom  alist) Aappalist (xvl ,alist)=yvl I 

(nonempty.domain  rc22  rc28)) 

(label  rc29) 
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;deps:  (RC21  RC23  RC25  RC26) 

; apply  lemma  2  and  renrite 

12.  (trs  ImemberCxvl (domCalist  m  alistl)) I  *  (use  dom.compalist)) 
;MEMBER(XV1,D0M(ALIST  m  ALISTD) 

(label  rc30) 

;deps:  (RC21  RC23  RC25  RC26) 

13.  (tr¥  I appalist (xvl ,alist  ®  alistl) I  rc29  rc30 

(use  app.compalist  rc29  rc27  mode:  always)) 

;APPALIST(XV1,ALIST  oo  ALIST1)=Z 
(label  rc31) 

:deps:  (RC21  RC23  RC25  RC26) 

; apply  lemma  3 

14.  Cue  ((alist. lalist  m  alistl I) (x .xvl))  nonempty .range 

(use  dom.compalist  rc22  rc30  mode:  always)) 

;3Y.MEMBERCY, RANGE (ALIST  m  ALISTl) )aAPPALIST(XV1 , ALIST  m  ALIST1)-Y 
•deps:  (RC21  RC23  RC25  RC26) 

I  member (zvl , range (alist  m  alistl ) )Aappalist (xvl , alist  qd  alistl)-zvl 1  *  ) 

(label  rc32)  ♦ 

;deps:  (RC21  RC23  RC25  RC26) 

16.  (trw  |zvl=zl  rc31  (use  *  mode:  always  direction:  reverse)) 

;ZV1=Z 

;deps:  (RC21  RC23  RC25  RC26) 

17.  (trw  I member (z, range (alist  ©  alistl)) I  rc32 

(use  *  mode:  exact  direction:  reverse)) 

;HEMBER(Z,RANGE(ALIST  ©  ALISTD) 

;deps:  (RC21  RC23  RC25  RC26) 

;MEMBER(Z ,RANGE(ALIST1))3MEMBER(Z ,RANGE(ALIST  ©  ALIST!)) 

;deps:  (RC21  RC23  RC25) 

19.  (trw  Imklset  range  (alist  DCmklset  range(alist  ©  alistl)  1  * 

(open  inclusion  mklset)  ) 

;HKLSET(RANGE(ALIST1))CMKLSET(RANGE(ALIST  ©  ALISTD) 

;deps:  (RC21  RC23  RC25) 

;PERHU^(ALIST)APERmTP(ALISTl)AMKLSET(DOM(ALIST))=MKLSET(DOM(ALISTl))3 

:HKLSET(RANGE(ALIST1))CMKLSET(RAHGE(ALIST  m  ALISTD) 


8.26.6.  Conclusion  of  Theorem  1. 


(prool  permutp.compalist) 

(assume  j permutp(alist) I ) 

(label  permut.compl) 

(assume  1 permutpCalistl)  D 
(label  permut.compZ) 

(assume  j  mklset  (dom(alist))=mklset  (dom(alistD)  D 
(label  permut_comp3) 
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4.  (derive  Imklset (range (alist  od  alistl))Cmklset(raiige(alistl))A 

mklset (range(alistl))Cmklset(range(alist  oo  alistl))!  p 

(permut_compl  perraut_coiiip2  permute  comp  3  range^compose)  ) 

;deps:  (PERMUT.COMPl  PERHUT^C0HP2  PERMUT_C0?^P3) 

5.  (derive  Imklset (range (alist  m  alistl))=mklset(range(alistl)) j 

(*  double_inclusion) ) 

;deps:  (PERMUT_C0MP1  PERMUT_C0MP2  PERHUT_C0MP3)  .i 

(label  permut_comp4) 

6.  (rw  permut^compl  (open  permutp  iunctp)) 

;UNiqUENESS(DOM(ALIST))AMKLSET(DOH (ALIST) )=MKLSET(RANGE(ALIST)) 

(label  permut_comp5) 

7.  (rw  permut_comp2  (open  permutp)) 

;FUNCTP(ALIST1)aMKLSET(D0M(ALIST1))=MKLSET(RANGE(ALIST1)) 

8.  (trw  juniqueness(dom(alist  od  alistl))A 

mklset  dom(alist  oo  alistl)=mklset  range(alist  go  alistl)  I 
(use  dom_compalist  permut_comp4  mode:  exact)  permut_comp5 
(use  *  permut_comp3  mode:  always  direction:  reverse)) 

;UWIQtJENESS(DOM(ALIST  m  ALIST1))a 

;MKLSET(D0H(ALIST  m  ALISTl) )=MKLSET(RANGE(ALIST  oo  ALISTD) 

;deps:  (PERMUT^COMPl  PERMUT_C0MP2  PERMUT_C0MP3) 

9.  (trw  |permutp(alist  m  alistl)!  *  (open  permutp  lunctp)) 

;PERMUTP(ALIST  oo  ALISTl) 

;deps:  (PERMUT^COMPl  PERMUT_COMP2  PERMUT_C0MP3) 

10.  (ci  (permut^compl  permut_comp2  permut_comp3) ) 
;PERMUTP(ALIST)aPERMUTP(ALIST1)aMKLSET(D0M(ALIST))=MKLSET(D0M(ALIST1))3 
;PERMUTP(ALIST  oo  ALISTD 

(label  permutp^compalist )  ■ 

8,26.7,  Associativity  of  Composition. 


; theorem  1  (ii) 

(prooi  compalist^associativity) 

1.  (trw  Imklset (range((xa.y) ,alist))Cmklset(dom  alistl)3 

member(y,dom  alist l)Amklset  range (alist)Cmklset  dom(alistl) 1 
(open  mklset  inclusion  range  member) (use  normal  mode:  always)) 
;MKLSET(RANGE((XA.Y) .ALIST))CMKLSET(D0M(ALIST1))3 
;MEMBER(Y,D0M(ALIST1))AMKLSET(RANGE(ALIST))CMKLSET(D0M(ALIST1)) 

2.  (trw  |member(y ,dom  alist DAmklset  range (alist) Cmklset  dom(alistl)3 

mklset (range((xa.y) .alist))Cmklset(dom  alistl)!  (der) 

(open  mklset  inclusion  range  member) (use  normal  mode:  always)) 
;MEMBER(Y,DDM(ALIST1))AMKLSET(RANGE(ALIST))CHKLSET(D0M(ALIST1))3 
;MKLSET(RANGE((XA.Y) . ALIST) )CMKLSET(D0M(ALIST1)) 

3.  (derive  Imklset (range((xa. y) .alist))Cmklset (dom  alistl)= 

member(y,dom  alist  DAmklset  range(alist)Cmklset  dom(alistDI  (*  -2)) 
(label  helpinduction) 

4.  (ue  (chi  j  Aalist  .mklset (range  alist)Cmklset  (dom  alistD3 

alist  00  (alistl  ®  alist2)  =  (alist  ro  alistl)  w  alist2|) 
alistinduction 

(part  l(open  compalist) (use  app.compalist  *  mode:  always))) 
;VALIST.MKLSET(RANGE(ALIST))CHKLSET(D0M(ALIST1))3 
;  ALIST  m  (ALISTl  m  ALIST2)=(ALIST  m  ALISTD  m  ALIST2 

(label  compalist^associativity)  ■ 
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(proof  samemap.left) 

1.  (assume  | samemap(alistl ,alist2)  I  ) 

(label  smll) 

2.  (rw  ♦  (open  samemap)) 

;MKLSET(D0M(ALIST1))=MKLSET(D0M(ALIST2))A 

;(VY,YeMKLSET(D0M(ALISTl))3APPALIST(Y,ALISTl)=APPALIST(Y,ALIST2)) 

(label  sml2) 

3.  (assume  ly€mklset  dom(alistl) I ) 

(label  sml3) 

4.  (derive  | appalist (y ,alistl)=appalist(y ,alist2)  I  (sml2  sml3)) 

(label  sml4) 

5.  (rw  sml3  (use  sml2  mode:  exact)) 

; Y€MKLSET (D0H( ALIST2) ) 

(label  sml5) 

6.  (rw  sml3  (open  epsilon  mklset)) 

;MEMBER(Y ,D0M(ALIST1) ) 

7.  (rw  smlS  (open  epsilon  mklset)) 

;MEMBER(Y,D0M(ALIST2)) 

8.  (trw  I appalist (y,alistl  ®  alist)=appalist(y ,alist2  m  alist) I 

(use  app_compalist  *-2  mode:  exact) 

(use  app_compalist  *  mode:  exact) 

(use  sml4  mode:  exact)) 

; APPALIST (Y,ALIST1  ®  ALIST)=APPALIST(Y ,ALIST2  ®  ALIST) 

;deps:  (SHLl  SML3) 

9.  (ci  sml3) 

;YeMKLSET(D0M(ALISTl))3APPALIST(Y,ALISTl  ®  ALIST)=APPALIST(Y , ALIST2  ffl  ALIST) 

10.  (trw  I mklset (dom(alistl  ®  alist ) )=mklset (dom(alist2  ®  alist)) I 

dom  compalist  (use  sml2  mode:  exact)) 

;WKLSET(D0H(ALIST1  ®  ALIST) )=MKLSET(D0M(ALIST2  m  ALIST)) 

11.  (trw  I samemap(alistl  ®  alist, alist2  ®  alist) I  (open  samemap) 

(dom^compalist  *  -2)) 

; SAMEMAP (ALISTl  ®  ALIST, ALIST2  m  ALIST) 

;deps:  (SMLl) 

12.  (ci  smll) 

;SAMEMAP(ALIST1,ALIST2)3SAMEMAP(ALIST1  ffl  ALIST  ,ALIST2  m  ALIST) 

(label  samemap. let t)  ■ 


.26.9.  Theorem  2,  on  Identity  Alist. 


;theorem  2  (i)  (permutp  idalistp) 

(proof  idalistprop) 

1.  (ue  (chi  Ualist .idalistp(alist)3dom  alist=range  alist!)  alist induct ion 
(open  idalistp  dom  range)) 

;VALIST. IDALISTP( ALIST) 3D0M(ALIST)=RANGE(ALIST) 

(trw  jValist .f unctp(alist) Aidalistp(alist)3permutp(alist) I 


2. 
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(open  lunctp  permutpXuse  *  mode:  always)) 

;VALIST.nrNCTP(ALIST)AlDALISTP(ALIST)DPERMUTP(ALIST)  » 

(label  idalistp^permutp)  ■ 

; theorem  2  (ii)  (idalistp  right) 

3.  (assume  I idalistp(alistl)  I ) 

4- 

4.  (ue  (chi  |  Aalist  .mklset(range(alist)  )Cinklset (dom(alistl)  )3 

(alist  CD  alistl=alist)  I ) 
alistinduction 
(part  l(open  comp alist)) 

(use  helpinduction  idalistp.main  ♦  mode:  always)) 

;VALIST.MKLSET(RANGE(ALIST))CMKLSET(D0H(ALIST1))3ALIST  m  ALIST1=ALIST 
;deps:  (4) 

5.  (ci  -2) 

; IDALISTP (ALISTl) 3 

;(VALIST.MKLSET(RAHGE(ALIST))CMKLSET(D0M(ALIST1))3ALIST  co  ALIST1=ALIST) 

(label  idalistp_right)  ■ 

; theorem  2  (iii)  (idalistp  lelt) 

(proof  idalistp^lelt) 

1.  (assume  1 idalistp  alistidi) 

(label  idal.ll) 

;ALISTID  is  unknown. 

;the  symbol  ALISTID  is  given  the  same  declaration  as  ALIST 

2.  (assume  Imklset  doin(alistid)=mklset  dom(alist)l) 

(label  idal.l2) 

3.  (assume  | y€mklset (dom(alistid  od  alist))  j) 

(label  idal.l3) 

4.  (rw  *  (use  dom.compalist  mode:  exact) (open  epsilon  mklset)) 

(label  idal_14) 

;HEMBER(Y ,DOM(ALISTID) ) 

;deps:  (idal_13) 

5.  (trw  lappalist (y ,alistid  (d  alist)  I  (use  app^compalist  *  mode:  exact)) 

;APPALIST(Y, ALISTID  od  ALIST)=APPALIST(APPALIST(Y , ALISTID) , ALIST) 

(label  idal.15) 

; labels:  IDALISTP.MAIN 

;VALIST  Y.IDALISTP(ALIST)aMEHBER(Y,D0M(ALIST))3APPALIST(Y,ALIST)=Y 

6.  (derive  |appalist(y ,alistid)=y 1  (idalistp_main  idal_ll  idal_14)) 

;deps:  (idal^ll  idal_13) 

7.  (rw  idal^lS  ♦  ) 

;APPALIST(Y. ALISTID  od  ALIST)=APPALIST(Y, ALIST) 

;deps:  (idal.ll  idal_13) 

8.  (ci  idal.l3) 

;Y€MKLSET(D0M(ALISTID  od  ALIST) ) 3APPALIST(Y , ALISTID  oo  ALIST)=APPALIST(Y , ALIST) 

(label  idal^ie) 

;deps:  (idal.ll) 

9.  (trw  Imklset  (dom(alistid  oo  alist))  =mklset  dom(alist)  I 

(use  dom  compalist  idal^l2  mode:  exact)) 

;MKLSET(D0M(ALISTID  od  ALIST))=MKLSET(D0M(ALIST)) 

;deps:  (idal,12) 

; labels:  SAMEMAPDEF 

;VALIST  ALISTl.SAMEMAP (ALIST, ALISTl)^ 
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;  MKLSET(D0M(ALIST))=MKLSET(D0H(ALIST1))A 

’•  (VY.Y€MKLSET(DOM(ALIST))D 

\  APPALIST(Y,ALIST)=APPALIST(Y,ALIST1)) 

10.  (trw  IsamemapCalistid  od  alist.alist)  I  (open  samemap)  (idal_16  »)) 
;SAHEHAP(ALISTID  m  ALIST.ALIST) 

;deps:  (idal.ll  idal_12) 

11.  (ci  (idal.ll  idal_12)) 

:IDALISTP(ALISTID)AMKLSET(D0M(ALISTID))=MKLSET(D0M(ALIST))3 
;SAHEMAP(ALISTID  to  ALIST.ALIST) 

(label  idalistp.left)  ■ 


8.26.10.  Lemma  Atomrange. 


;a  lemma:  the  range  ol  a  permutation  contains  only  atoms 
(prool  atomrange) 

1.  (assume  |m]clset(dom(alist))=mklset(range(alist))  I  ) 

(label  arl) 

2.  (ue  (chi  | Aalist .allp(Ax .atom(x) ,dom  alist) I ) 

alist induct ion 
(open  allp  dom)) 

;VALIST.ALLP(AX.ATOM  X ,D0M(ALIST) ) 

(label  ar2) 

3.  (ue  ((phil. lAi.atom(x) l)(i.x)(u. Idom  alist I ))  allp_elimination  *  ) 
;MEHBER(X.DOM(ALIST))3ATOM  X 

4.  (trn  Imklset  dom(alist)C(Ax . atom  x) I  *  (open  inclusion  mklset)  ) 
;MKLSET(D0H(ALIST))C(AX.AT0M  X) 

5.  (ru  *  (use  arl  mode:  exact)) 

; MKLSET (RANGE( ALIST) ) C ( AX . ATOM  X) 

6.  (ru  *  (open  inclusion  mklset)) 

;VXV.MEHBER(XV.RANGE(ALIST))3AT0H  XV 

7.  (ue  ((phil. lAx.atom  x1)(u. Irange  alisti)) 

allp_introduction  *  ) 

;ALLP(AX.ATOM  X .RA»GE(ALIST)) 

; MKLSET (DOM ( ALIST) )=MKLSET( RANGE (ALIST) ) 0ALLP( AX , ATOM  X , RANGE (ALIST) ) 
(label  atomrange)  ■ 


8.26.11.  Theorem  3,  on  Inversion  of  Alists. 


; theorem  3  (i) 

(proof  permutp^invalist) 

;we  borrow  this  result  from  the  proof  permutp_injectp 

; labels:  PERMUTP.INJECTP 
;VALIST.PERHUTP  ALISTDINJECTP  ALIST 


(proof  permutp^invalist) 
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1.  (assume  Ipermutp  alistl) 

(label  pivl) 

2.  (derive  linjectp  alist 1 (permutp.injectp  pivl)) 

;deps:  (PIVl) 

3.  (rw  *  (open  injectp)) 

;FUNCTP(ALIST)AUNIQUENESS(RANGE(ALIST)) 

(label  piv2) 

4.  (rw  pivl  (open  permutp)) 

;FUNCTP(ALIST)AMKLSET(DOM(ALIST))=MKLSET(RAKGE(ALIST)) 

(label  piv3) 

5.  (derive  I allp(Ax .atom  x, range  alist) I  (atomrange  *)) 

(label  piv4) 

6.  (derive  jdom  invalist (alist )=range  alistl  (dom^invalist  *)) 

(label  piv5) 

7.  (derive  Irange  invalist (alist)=dom  alistl  (range^invalist  piv4)) 

(label  piv6) 

8.  (trw  {uniqueness  dom(invalist(alist)) I  piv2  (use  piv5)) 

; UNIQUENESS (DOM ( INVALIST (ALIST) ) ) 

(label  piv7) 

9.  (trw  Imklset  domdnvalist (alist))=mklset  range (invalist(alist) )  | 
piv3  (use  piv5  piv6)) 

;MKLSET(DOM(INVALIST(ALIST)))=MKLSET(RANGE(INVALIST(ALIST))) 

(label  piv8) 

10.  (trw  Ipermutp  invalist (alist) I  piv7  piv8 

(open  permutp  lunctp)  (use  invalistsort  piv4  mode:  exact)) 

;PERMUTP(INVALIST(ALIST)) 

;deps:  (PIVl) 

11.  (ci  pivl) 

; PERMUTP (ALIST) DPERHUTP ( INVALIST( ALIST) ) 

(label  permutp^invalist)  ■ 

(prool  invalistprop) 

;theorem  3  (ii) 

1.  (ue  (chi  1 Aalist .allp(Ax.atom  x ,rang€(alist) )Ainj ectp(alist )3 

idalistp(alist  oo  invalist(alist) )  | )  alistinduction 
(part  Kuse  allpiact  ue:  ( (phi .  I  Ax.  atom  xl)(x.y)  (u.  Irange  alistl))  ) 

(open  range  injectp  lunctp  uniqueness  invalist 
idalistp  compalist  appalist  assoc) 

(use  invalistsort  dom^invalist  compalist_lemma  mode:  exact))) 

; VALIST . ALLP (AX , ATOM  X . RANGE( ALIST) ) A IN JECTP( ALIST) 3 
;  IDALISTP(ALIST  od  INVALIST(ALIST) ) 

(label  invalist ^right)  a 

;theorem  3  (iii) 

2.  (assume  |allp(Ax.atom  x,range(alist)) |) 

3.  (ue  ( (alist . 1 invalist (alist) I ) (alistl . I alist I ) (za .xa) (z . y))  compalist^lemma 

(use  ♦  invalistsort  range^invalist  mode:  exact)) 

;”.hehber(xa,dom(alist))3Invalist(alist)  pd  ( (XA . y)  , alist)=invalist(alist)  CD  alist 

4.  (ci  -2) 

;ALLP(AX.AT0M  X ,RANGE(ALIST))3 
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;(-iHEMBER(XA,D0M(ALIST))3lNVALIST(ALIST)  od  ((XA  . Y)  . ALIST)=INVALIST(ALIST)  qd  ALIST) 

5.  (ue  (chi  lAalist .allpCAx.atom  x,range(alist))Ainjectp(alist)D 

idalistpCinvalist (alist)  m  alist)|)  alist induct ion 
(part  1  (open  allp  range  injectp  lunctp  uniqueness 

invalist  compalist  appalist  assoc  idalistp) 
invalistsort  (use  range_invalist  mode:  exact)  (use  ♦  mode:  always))) 

; VALIST . ALLP (AX . ATOM  X , RANGE(ALIST) ) AIN JECTP (ALIST) 0 
;  IDALISTP(INVALIST(ALIST)  ®  ALIST) 

(label  invalist_leit)  ■ 


8.27.  file  PERMP:  Functions  Represented  by  Lists,  Using  Predicates. 


; definitions  of  composition, identity ,  inverse  as  predicates 
(proof  comp_pred) 

; composition  of  functions 

(decl  (comp)  (type:  |ground«ground^ground-*truthval I )  (syntype:  constant) 
(bindingpower :  930)) 

(define  comp  iVu  v  w .comp(u, v,w)2 

length  u=length  wA(Vn.n<length  uOnth(u.n)=nth(v ,nth(w ,n)) ) ( ) 

(label  compdef) 

;the  identity  function 

(decl  (id)  (type:  |  ground-*truthval  |  )  ) 

(defax  id  |Vu.id(u)2(Vn,n<length  u3nth(u,n)=n) 1 ) 

(label  id.def) 

;the  inverse  of  a  function 

(decl  (inv)  (type:  !ground»ground-*truthval  1 ) ) 

(defax  inv  |Vu  v.inv(u,v)s(Vn.n<length  uDnth(u,n)=fstposition(v ,n) ) I ) 

(label  invdef) 


8.27.1.  Composition  of  Permutations  is  a  Permutation. 


(proof  comp^perm) 

1.  (assume  Iperm(v)l) 

(label  cp^pml) 

2.  (assume  Iperm(w)l) 

(label  cp_pm2) 

3.  (assume  I  length  v=length  wl) 

(label  cp^pmS) 

4.  (assume  | comp(u ,v ,w)  |  ) 

(label  cp_pm4) 

5.  (rw  cp_pml  (open  perm  into  onto)) 

(label  cp.pmS) 

;(VN.N<LENGTH  V3NATNUH(NTH(V ,N) ) ANTH( V ,N)<LENGTH  V)A 
;(VN.N<LENGTH  V3HEMBER(N , V) ) 
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6.  (rw  cp_pm2  (open  perm  into  onto)) 

(label  cp.pme) 

;(VN.N<LENGTH  WDNATNUM(NTH(K;n) ) ANTH(W,N)<LENGTH  W)A 
;(VN.N<LENGTH  WDMEMBER(N .H) ) 

7.  (rw  cp_pm4  (open  comp  )) 

(label  cp_pm7) 

;LENGTH  U=LENGTH  Ha(VW .N<LENGTH  UDNTH(U.H)=APPL(V,NTH(W,N))) 

8.  (assume  |m<length(u) I ) 

(label  cp.pmS) 

9.  (rw  *  (use  cp_pm7  mode:  always)) 

(label  cp_pm9) 

;M<LEffGTH  W 

10.  (derive  lnatnum(nth(w,m))Anth(w,m)<length  v|  (cp_pm6  *) 

(use  cp.pmS  mode:  exact)) 

11.  (trw  |natnum(nth(v ,nth(w ,m) ))Anth(v ,nth(w ,m))<length  vl  (*  cp_pm5)) 
(label  cp.pmlO) 

12.  (derive  |nth(u,m)=nth(v,nth(w,m)) I  (cp_pm7  cp^pmS) 

(open  appl)  (use  -2)) 

13.  (rw  cp^pmlO  (use  *  mode:  exact  direction:  reverse)) 

;  NATNUM  (NTH  (U ,  M  )  )  ANTH  (U ,  MX  LENGTH  V 

(label  cp_pmll) 

14.  (trw  I length  u=length  v|  (use  cp_pm7  cp_pm3  mode:  always)) 

; LENGTH  U=LENGTH  V 

15.  (rw  cp^pmll  (use  ♦  mode:  exact  direction:  reverse)) 
;NATNUM(NTH(U,M))aNTH(U,M)<LENGTH  U 

;deps:  (CP.PMl  CP.PH2  CP^PMS  CP_PM4  CP.PH8) 

16.  (ci  cp_pm8) 

;M<LEKGTH  UDNATNUM(NTH(U,M))aNTH(U.M)<LENGTH  U 

17.  (trw  I into  u|  (open  into)  *  ) 

(label  cp^into) 

;INT0(U) 

;deps:  (CP.PMl  CP.PM2  CP^PHS  CP_PM4) 

18.  (rw  cp_pm9  (use  cp_pm3  mode:  exact  direction:  reverse)) 

;M<LENGTH  V 

19.  (trw  |member(m, v) I  (*  cp_pm5)) 

;MEMBER(M,V) 

(label  cp_pm20) 

20.  (derive  1 3j . j<length(v)Anth(v , j )=ml  (*  member.nth)) 

(label  cp_pm21) 

;deps:  (CP.PMl  CP.PM3  CP_PM4  CP^PMS) 


21.  (deline  jv  I jv<length(v) Anth(v, jv)=ml  ♦  ) 

(label  cp_pm22) 

22.  (rw  *  (use  cp_pm3  mode:  exact)) 

;JV<LENGTH  HaNTH(V , JV)=M 

23.  (trw  lmember( jv ,w) I  (♦  cp_pm6)) 

;MEMBER(JV,W) 

24.  (derive  (3k.k<length(w)Anth(w,)c)=jv|  (♦  member^nth)) 
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;deps:  (CP.PHl  CP.PM2  CP_PM3  CP_PM4  CP_PH8) 

25.  (deline  kv  lkv<length(w) Anth(w,kv)=jv I  *  ) 

(label  cp„pm23) 

26.  (rw  cp_pm22  (use  *  mode:  always  direction:  reverse)) 
;NTH(W~KV)<LENGTH  VANTH(V ,NTH(U,KV))=M 

(label  cp_pm24) 

27.  (trw  !kv<length(u) I  cp_pm23  (use  cp_pm7  mode:  always)) 

;KV<LENGTH  U 

(label  cp^pm25) 

28.  (trw  Inatnum  nth(w ,kv) I  cp_pm23) 

;NATNUM(NTH(W,KV)) 

29.  (derive  |nth(u,kv)=nth(v ,nth(w,kv)) 1  (cp„pm7  cp_pm25) 

(open  appl)(use  *)) 

30.  (rw  *  (use  cp«pm24  mode:  always)) 

;NTH(U,KV)=M 

31.  (derive  | member (m,u) I  nthmember 

cp  pm25  (use  *  mode:  exact  direction:  reverse)) 

;deps:  (CpIpMI  CP_PM2  CP_PM3  CP^PM4  CP_PM8) 

32.  (ci  cp^pmS) 

;M<LENGTH  U3MEMBER(M,U) 

(label  cp_onto) 

33.  (trw  tperm  u|  (open  perm  onto)  cp_into  cp^onto) 

;PERM(U) 

;deps:  (CP.PMl  CP^PM2  CP_PM3  CP^PM4) 

34.  (ci  (cp  pml  cp^pm2  cp_pm3  cp_pm4)) 

;PERM(V)APERM(W)ALENGTH  V=LENGTH  HAC0HP(U,V ,H) DPERM(U) 

(label  perm_composition)  ■ 

Composition  of  functions  is  unique: 

35.  (trw  lcomp(u,v,w)Acomp(ul ,v ,w)Du=ul I  (open  comp)  extensionality) 
; COMP (U , V ,H) ACOMP (U1 , V , W) DU=U1 

(label  comp_uniqueness)  ■ 


8.27.2.  Composition  is  Associative. 


(prool  comp_associativ€) 

1.  (assume  linto(w3)l) 

(label  cal) 

2.  (assume  1  length  w2=length  w3|) 
(label  ca2) 

3.  (assume  1 comp(v ,wl ,w2) | ) 

(label  ca3) 

4.  (assume  I comp(u ,v , w3) | ) 

(label  ca4) 


5.  (assume  I comp(vl ,w2 ,w3) 1 ) 
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(label  ca5) 

6.  (assume  I comp(ul ,h1 ,vl) I ) 

(label  ca6) 

7.  (assume  In<length  u|) 

(label  ca7) 

8.  (rw  ca4  (open  comp)) 

;LENGTH  U=LENGTH  H3A(VN.N<LENGTH  U3NTH(IJ,N)=NTH(V  ,NTH(H3  ,N)  )) 
(label  ca8) 

;deps:  (CA4) 

9.  (derive  I n<length(w3) I  (ca7  ca8)) 

(label  ca9) 

;deps:  (CA4  CA7) 

10.  (derive  Inth(u,ii)=nth(v,nth(w3,n))  I  (ca7  ca8)) 

(label  calO) 

;deps:  (CA4  CA7) 

11.  (rw  cal  (open  into)) 

;VN.N<LENGTH  W3DNATNXJM(NTH(W3  ,N) )  ANTH(W3  ,N) <LEKGTH  W3 
;deps:  (CAl) 

12.  (derive  !natnum(nth(w3 ,n))Anth(w3,n)<length(w2) !  (ca9  ♦  ca2)) 
(label  call) 

;deps:  (CAl  CA2  CA4  CA7) 

13.  (rw  ca3  (open  comp)) 

;LENGTH  V=LENGTH  W2A(VN .N<LENGTH  VDNTH(V.N)=NTH(W1 ,NTH(H2,N))) 
(label  cal2) 

;deps:  (CA3) 

14.  (derive  I nth(w3 ,n)<length(v) I  (call  cal2)) 

(label  cal3) 

;deps:  (CAl  CA2  CA3  CA4  CA7) 

15.  (derive  I Vn.n<length(v)Onth(v ,n)=nth(wl ,nth(w2 ,n) ) I  cal2) 

16.  (ue  (n  |nth(w3,n)|)  *  call  cal3) 

; NTH ( V , NTH ( W3 , N ) ) =MTH ( W1 , NTH ( W2 , NTH (W3 , N ) ) ) 

;deps:  (CAl  CA2  CA3  CA4  CA7) 

17.  (rw  calO  (use  *  mode:  exact)) 

;NTH(U,N)=NTH(W1,NTH(W2,NTH(H3,N))) 

(label  cal4) 

;deps:  (CAl  CA2  CA3  CA4  CA7) 

18.  (rw  ca5  (open  comp)) 

(label  ca20) 

;LENGTH  V1=LENGTH  W3A(VN.N<LENGTH  V1DNTH(V1 ,N)=NTH(W2 ,NTH(H3 .N) )) 

19.  (derive  I nth(vl ,n)=nth(w2 ,nth(w3 ,n)) I  (ca9  ca20)) 

(label  ca21) 

;deps:  (CA4  CAS  CA7) 

20.  (rw  ca6  (open  comp)) 

;LENGTH  U1=LENGTH  V1A(VN . N<LENGTH  U10NTH(U1 ,N)=NTH(H1 .NTH(V1 ,N)) ) 
(label  ca22) 

;deps:  (CAS) 

21.  (rw  ca9  (use  ca20  ca22  mode:  always  direction:  reverse)) 

;N<LENGTH  U1 

;deps:  (CA4  CAS  CA6  CA7) 
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22.  (derive  1 nthCul ,n)=nth(wl ,nth(vl ,n) ) 1  (ca22  *)) 

^  ;deps:  (CA4  CA5  CA6  CA7) 

23.  (rw  ♦  (use  ca21  mode:  exact)) 

;KTH(U1 ,N)=KTH(H1 ,NTH(W2 ,NTH(H3 ,K))) 

(label  ca23) 

;deps:  (CA4  CAS  CA6  CA7) 

* 

24.  (rw  cal4  (use  ca23  mode:  exact  direction:  reverse)) 
;NTH(U,M)=NTH(U1,N) 

;deps:  (CAl  CA2  CA3  CA4  CAB  CA6  CA7) 

25.  (ci  ca7) 

;N<LENGTH  U3NTH(U,N)=NTH(U1 ,N) 

(label  ca24) 

;deps:  (CAl  CA2  CA3  CA4  CAB  CA6) 

26.  (trw  (length  u  =  length  ul 1  (use  ca8  ca22  mode:  always) 

(use  ca20  mode:  always  direction:  reverse)) 

; LENGTH  U=LENGTH  Ul 
;deps:  (CA4  CAB  CA6) 

27.  (ue  ( (u.u) (v .ul))  extensionality  ca24  ★  ) 

;U=U1 

;deps:  (CAl  CA2  CA3  CA4  CAB  CA6) 

28.  (ci  (cal  ca2  ca3  ca4  caS  ca6)) 

;INT0(H3)ALENGTH  H2=LENGTH  W3A 
; COMP (V , W1 ,W2) ACOMP (U , V , W3) A 
;C0MP(V1 ,W2,W3)AC0MP(U1 ,W1.V1)DU=U1 
(label  associativity_pred)  ■ 


8.27.3.  Using  Predicates:  Identity. 


;id  implies  perm 
(proof  idperm) 

1.  (trw  I id(u)I>into(u)  I  (open  id  into)) 
;ID(U)3INT0(U) 

(label  p^il) 

2.  (assume  |id(u)|) 

(label  p_i2) 

3.  (rw  ♦  (open  id)) 

;VN.N<LENGTH  UDNTH(U,N)=N 
(label  p_i3) 

4.  (assume  |n<length  u|) 

(label  p_i4) 

B.  (derive  |member(nth(u ,n) ,u) !  (*  nthmember)) 

6.  (derive  (member (n,u) I  (*  p«i4  p_i3)) 

7.  (ci  p_i4) 

;N<LENGTH  UDMEMBER(N ,U) 

8.  (derive  (perm  u|  (p_il  p_i2  *)  (open  perm  onto)) 

9.  (ci  p_i2) 

;ID(U)3PERM(U) 
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(label  id.perm)  ■ 

;Theorein  2  (ii)  (id  right) 

(prool  identity.right) 

1.  (assume  |id(u)l) 

(label  id.rl) 

2.  (assume  I comp(v ,u) 1 ) 

(label  id_r2) 

3.  (assume  I  length  w=length  ul) 

(label  id^r3) 

4.  (rw  id^rl  (open  id)) 

;VN.N<LENGTH  UDNTH(U,H)=N 

(label  id_r4) 

5.  (rw  id_r2  (open  comp)) 

;LENGTH  V=LENGTH  UA(VH .M<LEHGTH  UDNTH(V,H)=HTH(W,HTH(U,N))) 

(label  id_r5) 

6.  (rw  *  (use  id_r4  mode:  always)) 

;LENGTH  V=LE»GTH  UA(VH.H<LEHGTH  U3NTH(V,H)=NTH(W,N)) 

(label  id^re) 

7.  (trw  [length  v=length  w|  (use  id_r3  id_r5  mode:  always)) 

;LEMGTH  V=LENGTH  W 

8.  (derive  lv=w|  (extensionality  id_r6  ♦)) 

9.  (ci  (id_rl  id_r2  id.r3)) 

;ID(U)aCQHP(V,W,U)aLEHGTH  H^LEHGTH  U3V=W 

(label  id^right)  ■ 

;Theorem  2  (iii)  (id  leit) 

(prool  identity^lelt) 

1.  (assume  |id(u)|) 

(label  id^ll) 

2.  (assume  [perm  wi) 

(label  id_12) 

3.  (assume  [length  w=length  ul) 

(label  id_13) 

4.  (assume  |comp(v,u,w) | ) 

(label  id.l4) 

5.  (rw  id_ll  (open  id)) 

;VN.H<LENGTH  U3NTH(U,H)=!r 

(label  id.15) 

6.  (rw  id_14  (open  comp)) 

;LEMGTH  V=^LEKGTH  Wa(VH .N<LEHGTH  VDNTH(V,M)=NTH(U.»TH(W,N))) 

(label  id.l6) 

7.  (rw  id_12  (open  perm  onto  into)) 

;(Vll.N<LEHGTH  WDNAT!rUM(KTH(W.K) )ANTH(W,N)<LENGTH  W)A  * 

;(VN.N<LENGTH  WDMEHBER(N ,W) ) 

(label  id.l7) 

8-  (trw  {Vm.m<length  u3natnum(nth(w,m)) Anth(w ,m)<length  ul  id_17 
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(use  id  13  mode:  exact  direction:  reverse)) 

; VH .M<LEKGTh'0DNATHUM (MTH(H ,M) ) ANTH (W ,M) <LENGTH  U 
(label  ld_18) 

9.  (trs  |Vm.m<length  uDnth(u,nth(ii,m))=iith(w,m)  I  id_15  *  ) 
;VM.M<LEHGTH  U3NTH(a.NTH(W,M))=NTH(W,M) 

(label  id.l9) 

10.  (assume  |m<length  v|) 

(label  id.llO) 

11.  (trm  |m<length  u|  * 

(use  id_13  id_16  mode:  exact  direction:  reverse)) 
;M<LEHGTH  U 
(label  id.lll) 

12.  (derive  |nth(u,nth(w,m))=nth(B,m) I  (id_19  id.lll)) 

13.  (derive  |nth(v,m)=nth(B ,m)  I  (id_16  id.llO) 

(use  *  mode:  exact  direction:  reverse)) 

14.  (ci  id.llO) 

;M<LENGTH  ViHTH(V,M)=NTH(U,M) 

15.  (derive  |b=vI  (extensionality  id_16  *)) 

16.  (ci  (id.ll  id_12  id_13  id_14)) 

;ID(0)APERM(U)ALEHGTH  W=LENGTH  UaC0MP(V,O,H)DW=V 
(label  id.lelt)  ■ 


8.27.4.  Using  Predicates:  the  Inverse  Permutation  Theorem. 
Theorem  3  (i)  ( Inv  Perm) 

VU  V.PERM(U)AINV(V,U)ALENGTH  V=LENGTH  UDPERM(V) 
Part  1:  inv  implies  into 

(proof  inv_into) 

1.  (assume  Iperm(u)l) 

(label  ill) 

2.  (assume  linv(v,u)l) 

(label  ii2) 

3.  (assume  I length  v=length  u!) 

(label  ii3) 

4.  (rw  ill  (open  perm  into  onto)  ) 

(label  ii4) 

; (VN.N<LENGTH  U3NATinJM(NTH(U,N) ) ANTH(U,N)<LENGTH  U)A 
;(VN.N<LENGTH  U3MEMBER(N ,U)  ) 

5.  (rw  ii2  (open  inv)) 

(label  ii5) 

; VN . N<LENGTH  V3NTH ( V , N)=FSTP0SITI0N (U , N) 

6.  (assume  lm<length  vl) 

(label  ii6) 

7.  (derive  |nth(v ,m)=fstposition(u ,m) 1  (ii5  ii6)) 
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(label  ii7) 

8.  (rw  ii6  (use  ii3  mode:  exact)) 

;M<LENGTH  U 

9.  (derive  1 member(m,u) I  (*  ii4)) 

;MEMBER(H.U) 

10.  (trw  Inatnum  f stpositioii(u,m)Atstposition(u ,in)<length  u| 

(use  pos^length  *  mode:  always) 

(use  poslacts  ue :  ((u.u)(y.ra))  )) 
;NATNUM(FSTPOSITION(U,M))aFSTPOSITION(U,M)<LENGTH  U 

11.  (rw  ♦  (use  ii3  ii7  mode:  exact  direction:  reverse)) 
;NATNim(NTH(V,M))ANTH(V,M)<LENGTH  V 

;deps:  (III  II2  113  II6) 

12.  (ci  ii6) 

;M<LENGTH  VDNATNUM(NTH(V  ,M)  )  ANTH(V  .MXLENGTH  V 

13.  (trw  I into  v|  (open  into)  *  ) 

;INT0(V) 

;deps:  (III  II2  II3) 

14.  (ci  (ill  ii2  ii3)) 

;PERM(U)AINV(V,U)ALE»GTH  V=LENGTH  U3INT0(V) 

(label  inv.into)  ■ 

Part  2.  inv  implies  perm: 

(prool  inv.onto) 

1.  (assume  I  perm  u() 

(label  iol) 

2.  (assume  linv(v,u)l) 

(label  io2) 

3.  (assume  I  length  v=length  u|) 

(label  io3) 

4.  (rw  iol  (open  perm  into  onto)  ) 

;(VN.N<LENGTH  U3NATNUM(NTH(U,N) ) ANTH(U,N)<LENGTH  U)A 
;(VN.N<LENGTH  UDMEMBER(M ,U) ) 

(label  io4) 

5.  (rw  io2  (open  inv)) 

;VN.N<LENGTH  V0»TH(V ,N)=FSTP0SITI0N(U,N) 

(label  io5) 

6.  (derive  |Vn.n<length  u31stposition(u,nth(u,n))=n| 

(istposition.nth  perm_injectivity  uniqueness. injectivity  iol  io4)) 
;deps:  (101) 

(label  io6) 

7.  (assume  |n<length  vt) 

(label  io7) 

8.  (rw  *  (use  io3  mode:  exact)) 

;N<LENGTH  U 

(label  io8) 

9.  (derive  (natnum(nth(u,n))Anth(u,n)<length  vl  (io3  io4  io8)) 

(label  io9) 

;deps:  (101  103  107) 
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\We  can  use  t  lie  fact  tliat  v  is  the  inverse  of  u... 

10.  (trn  |nth(v,nth(u,n))=lstposition(u,nth(u,n)) I (io5  »)) 
;NTH(V,NTH(U,K))=FSTPOSITION(U,BTH(U,N)) 

(label  iolO) 

;deps:  (101  102  103  107) 


...the  lemma  Fstposition  Nth... 

11.  (ro  »  (use  io6  lo8  mode:  exact)) 
;NTH(V,NTH(U,H))=N 
(label  ioll) 

ideps:  (101  102  103  107) 


...the  lemma  Ntlimember... 

12.  (trs  |member(nth(v,nth(u,n)),v)l  (nthmember  io9)) 
;MEMBER(NTH(V,MTH(U,H)) ,V) 

:deps:  (101  103  107) 

13.  (rn  »  (use  ioll  mode:  exact)) 

;MEMBER(N,V) 

;deps:  (101  102  103  107) 

...and  obtain  the  second  condition  for  ontones.?. 

14.  (ci  io7) 

;N<LENGTH  V3MEMBERCN , V) 

;deps:  (101  102  103) 

15.  (derive  I  into  vl  (inv.into  iol  io2  io3)) 

;deps:  (101  102  103) 

16.  (trw  I  perm  vl  (open  perm  onto)  -2  ♦  ) 

;PERH(V) 

;deps:  (101  102  103) 

17.  (ci  (iol  io2  io3)) 

;PERM(U)AINV(V,U)ALENGTH  V=LENGTH  U3PERM(V) 

(label  inv^perm)  ■ 


8.27.5.  Using  Predicates:  the  Right  Inverse  Theorem. 


;the  theorem  right  inverse 
(proof  inverse^right) 

1 .  (assume  Iperm  b I ) 

(label  invrl) 

^  2,  (assume  |inv(u,w)j) 

(label  invr2) 

3.  (assume  | length  u=length  wl) 

(label  invr3) 

^  4.  (assume  1 comp(v ,w ,u) I ) 

(label  invr4) 

5.  (rw  invrl  (open  perm  onto  into)) 

;(VN.N<LENGTH  W3NATKUM(NTH(W ,  N)  )  ANTH(W  .NXLENGTH  W)A 
;(VN.N<LENGTH  W3MEMBER(N ,W) ) 
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(label  invrS) 

t 

6.  (rw  invr2  (open  inv)) 

; VN , N<LENGTH  UDNTH (U , N)=FSTP0SITI0N (W ,N) 

(label  invr6) 

7.  (rw  invr4  (open  comp)) 

;LENGTH  V=LENGTH  Ua(VM.N<LENGTH  UDKTH(V ,H)=NTH(W,HTH(U,N)))  * 

(label  invr7) 

8.  (assume  lm<length  vl) 

(label  invrS) 

9.  (rs  *  (use  invr7  mode:  exact)) 

;M<LENGTH  U 

(label  invr9) 

10.  (trw  |nth(v,m)=nth(B,lstposition(w,m)) I  (invr7  ♦) 

(use  invrG  mode:  alvays  direction:  reverse)) 

; NTH ( V , K) ^NTH ( W , FSTP  0  S IT ION ( W , M ) ) 

(label  invrlO) 

11.  (rw  invr9  (use  invrS  mode:  exact)) 

;M<LENGTH  W 

12.  (derive  |member(m,w) I  (invrS  ♦)) 

; labels:  NTH.FSTPOSITION 

;VU  N.MEMBER(N,U)DNTH(U,FSTPOSITION(U,N))=N 

13.  (rw  invrlO  (use  nth^lstposition  *  mode:  always)) 

;NTH(V,M)=M 

14.  (ci  invrS) 

;M<LENGTH  V3NTH(V,M)=M 

15.  (trw  lid(v)|  (open  id)  *  ) 

;ID(V) 

16.  (ci  (invrl  invr2  invr4  invr3)) 

;PERM(W)AINV(U,W)AC0HP(V,W.U)ALENGTH  U=LENGTH  WDID(V) 

(label  inv.right)  ■ 


8.27.6.  Using  Predicates:  the  Left  Inverse  Theorem. 


(proof  compose_inverse_lelt ) 

1.  (assume  |perm(w)|) 

(label  invl.l) 

2.  (assume  |inv(u,w)|) 

(label  invl_2) 

3.  (assume  I comp(v ,u,w) I ) 

(label  invl_3) 

4.  (assume  1 length (w)=length(u) I ) 

(label  invl_4) 

5.  (rw  invl_2  (open  inv)) 

;VN.N<LENGTH  U3NTH(U,N)=FSTP0SITI0N(W ,N) 
(label  invl.S) 
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6.  (rw  invl_l  (open  perm  onto  into)) 

;(VN.N<LENGTH  WDNATNUM(NTH(H',N)  ) ANTH(H ,N) <LENGTH  W)A 
;(VN.N<LENGTH  WDMEMBER(N ,W) ) 

(label  invl_6) 

;deps:  (INVL^l) 

7.  (rw  invl_3  (open  comp)) 

;LEMGTH  V=LENGTH  WA(VN . N<LENGTH  V3NTH(V,N)=NTH(U,NTH(W,N))) 

(label  invl_7) 

8.  (derive  |Vn.n<length  wDlstposition(w,nth(w ,n))=nl 

(Istposition^nth  perm^injectivity  uniqueness.injectivity 
invl_l  invl_6)) 

(label  invl_8) 

;deps:  (IKVL_1) 

9.  (rw  invl_6  (use  invl_4  mode:  exact)) 

;(VN,N<LENGTH  U3NATNUM(NTH(W,N) ) ANTH(W,N)<LENGTH  U)A 
;(VN.N<LEKGTH  U3MEMBER(N ,W) ) 

(label  invl_9) 

;deps:  (INVL.l  INVL_4) 

10.  (assume  |n<length  v|) 

(label  invl^lO) 

11.  (rw  *  (use  invl_7  mode:  always)) 

;N<LE»GTH  W 

(label  invl.ll) 

;deps:  (INVL_3  INVL^IO) 

12 .  (rw  *  invl_4) 

;N<LENGTH  U 
(label  invl_12) 

;deps:  (INVL_3  INVL_4  INVL.IO) 

13.  (derive  !natnum(nth(w ,n) )Anth(w »n)<length  ul  (invl_9  ♦)) 

(label  invl„13) 

;deps:  (INVL.l  INVL_3  INVL,4  INVL^IO) 

14.  (derive  |NTH(V ,N)=NTH(U,NTH(W,N)) I  (invl,7  invl.lO)) 

(label  invl_14) 

;deps:  (INVL_3  INVL^IO) 

15.  (rw  invl_14  (use  invl_5  ue :  ( (n . |nth(w ,n)  I ) )  invl_13  mode:  exact)) 
;NTH(V,N)=FSTPOSITION(H,NTH(W,N)) 

(label  invl^lS) 

;deps:  (INVL^l  INVL^2  IKVL^3  INVL_4  INVL^IO) 

;want  to  apply  the  lemma  istposition.nth 

16.  (rw  invl_15  (use  invl_8  invl_ll  mode:  always)) 

;NTH(V,N)=N 

;deps:  (INVL.l  INVL_2  INVL_3  INVL_4  INVL.IO) 

;and  so  V  is  the  identity  function 

17.  (ci  invl^lO) 

;N<LENGTH  V3NTH(V»N)=N 

;deps:  (INVL.l  INVL_2  INVL.3  INVL_4) 

18.  (trw  lid  vt  (open  id)  ♦  ) 

;ID(V) 

;deps:  (INVL.l  INVL.2  INVL.3  INVL.4) 

19.  (ci  (invl.l  invl_2  invl_3  invl.4)) 
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;PERM(W)AINV(U,W)aCOHP(V,U,H)aLENGTH  W=LENGTH  U3ID(V) 
(label  inverse.lelt)  ■ 


8.28,  file  PERMF:  Functions  Represented  by  Lists,  Using  Functions, 

> 


idelinitions  of  composition,  identity  and  inverse  as  functions. 

(proof  comp_fnct) 

1.  (decl  def_appl  (type:  j@u®@u-»truthval D) 

2.  (define  def_appl  iVu  v.def_appl(v,u)sallp(Ax.natnum(x)Ax<length(v) .u) I ) 
(label  def _appl_fact) 

icomposition  of  functions: 

3.  (decl  (compose)  (infixname:  I*!)  (type:  I ground^gro\md“*ground I ) 
(syntype:  constant) (bindingpower :  930)) 

4.  (define  compose  [Vu  v  x. (u^nil)=nilA 

(u*(x.v))=(nth(u,x)) . (u»v) j listinductiondef ) 

(label  composedef) 

;the  identity  function: 

5.  (decl  (identl)  (type:  lground«ground->ground I )) 

6.  (defax  identl  |Vx  u  n  i . identKi ,0)=nilA 

identl (i,nO=i.identl(i’  ,n)  1  ) 

(label  identdefl) 

7.  (decl  (ident)  (type:  | ground-»ground| ) ) 

8.  (define  ident  j Vn.ident(n)=identl(0,n) | ) 

(label  identdef) 

;the  inverse  of  a  function: 

9.  (decl  (inversl)  (type:  I ground«ground«ground-*ground I ) ) 

10.  (defax  inversl 

IVu  i  n.inversl(u,i,0)=nilAinversl(nil,i,n)=nilA 
inversl (u,i,n’)=if  null (fstposit ion (u,i)) 
then  nil 

else  f st posit ion (u,i) . inversl (u,i ^ ,n) I ) 

(label  inversdefl) 

11.  (decl  (inverse)  (type:  I  ground-aground ! )) 

12.  (define  inverse |Vu.inverse(u)=inversl(u,0,length(u)) | ) 

(label  inversdef) 


8.29.  Condition  for  Definiteness  and  Sorts  of  the  Functions. 

(proof  def ^appl_condition) 

1.  (assume  (into  u|) 

2.  (assume  | length  u<length  v|) 

3.  (rw  -2  (open  into)) 

;VN.N<LENGTH  U3NATNUM(NTH(U,N)) ANTH(U ,N)<LENGTH  U 

4.  (trw  |Vn.n<l€ngth  u3natnum  nth(u ,n)Anth(u ,n)<length  vl  ♦ 
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(less^lesseq.l actl  -2)) 

;VN.N<LEKGTH  UDNATNUM(NTH(U ,N)) ANTH (U ,N)<LENGTH  V 

5.  (ue  ( (phi  1 .  I  Ax . natnum  xAx<length  vlXu.u))  nth^allp  *  ) 
;ALLP(AX.NATNUM(X)AX<LEKGTH  V,U) 

6.  (trw  |del_appl(v,u) I  (open  del_appl)  *  ) 

;DEF_APPL(V,U) 

7.  (ci  (-6  -5)) 

;INTO(U)ALENGTH  U<LEKGTH  V3DEF,APPL(V ,U) 

(label  del_appl_condition)  ■ 

;check  sorts 

; compose : 

8.  (ue  (phi  |Au.det^appl(v,u)Dlistp  v#u{)  listinduction 

(part  1  (open  del^appl  allp  compose  ))) 
;W.DEF^APPL(V,U)DLISTP  V*U 
(label  sort comp)  (label  simpinlo)  ■ 

;ident : 

9-  (ue  (a  lAn-Vm.listp  ident l(m,n) I )  prooi^by_induction 
(open  ident 1)) 

;VH  M.LISTP  IDENT1(M,N) 

(label  ident_sortl)  (label  simpinlo)  ■ 

10.  (trw  iVn.listp  ident (n) I  (open  ident)  *  ) 

;VN.LISTP  IDENT (N) 

(label  ident_sort)  (label  simpinfo)  ■ 

; inverse 

11.  (ue  (a  lAn.Vi.listp  inversl  (u4  ,n)  !  ) 

proof _by_induct ion 
(open  inversl)  poslacts) 

;VN  I.LISTP  INVERS1(U,I,N) 

(label  invers_sortl)  (label  simpinfo)  ■ 

12.  (trw  llistp  inverse(u)l  (open  inverse)  *  ) 

;LISTP  INVERSE(U) 

(label  inverse_sort)  (label  simpinfo)  ■ 


8.30.  Length  Compose. 


; length  compose 
(proof  length_compose) 

1.  (assume  I def _appl(w,u) 1 ) 

(label  l^c.l) 

2.  (rw  ♦  (open  def.appD) 

(label  1.C.2) 

;ALLP(AX.NATNUM(X)AX<LENGTH  H,U) 

3.  (assume  | n<length(u) I ) ) 

(label  l.c_3) 

4.  (ue  ((u.u)(x. |nth(u,n) I) (phil . I  Ax , natnum(x) Ax<length(w) I ) ) 
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allp^elimination 

nthmember  sexp_nth  l_c_3  l_c  2) 

;  NATNUM(NTH  (U ,  N )  )  ANTH  (U ,  N XLENGTH  H 
(label  l_c_4) 

5.  (trw  |sexp(nth(B,nth(u,n))) 1  sexp^nth  1  c  4) 

;SEXP  NTH(W,NTH(U,N)) 

(label  l.c.sortl) 

6.  (ci  l.c_3) 

;N<LENGTH  UDSEXP  NTH(H,NTH(U,N) ) 

(label  1.C.7) 

7.  (derive  1  allp(Ax.natnuin(x)Ax<length  H,nthcdr(u ,nO)  1 
(allp.nthcdr  l_c.2)) 

; ALLP ( AX . NATNUM (X ) AX<LEKGTH  W , NTHCDR (U , N  0 ) 

8.  (derive  llistp(w*nthcdr(u,nO)  1  (*  sortcomp)) 

(label  l_c_sort2) 

9.  (ci  1.C.3) 

;N<LENGTH  U3LISTP  W*NTHCDR(U»N O 
(label  l_c.8) 

10.  (ue  ((phi . 1 Au.length(w^u)=length(u) 1 ) (u.u)) 

nthcdr_induct i on 

(part  1  (open  compose  length  ))  l.c_7  l_c.8) 
; LENGTH  (W*U)-LENGTH  U 

11.  (ci  l.c_l) 

;DEF.APPL(W,U)DLENGTH  (W«U)=LENGTH  U 
(label  length_compose)  ■ 


8.30.1.  Length  Ident. 


1.  (ue  (a  I  An. Vm. length  identl(m,n)=n I ) 

proof _by_induction 
(open  ident 1)) 

;VN  H. LENGTH  (IDENTl (M,N))=N 

(label  length_identl)  (label  simpinlo) 

2.  (trw  I VN. LENGTH  (IDENT(N))=N |  *  (open  ident)) 
(label  length_ident)  (label  simpinlo)  ■ 


8.30.2.  Length  Inverse. 


(proof  lengthinverse) 

1.  (assume  Iperin(u)l) 

(label  lil) 

2.  (rw  lil  (open  perm  onto  into)) 

;(VN.N<LENGTH  U3NATNUM(NTH(U,N) )ANTH(U,N)<LENGTH  U)A 
;(VN.N<LENGTH  UDMEMBER(N ,U) ) 

(label  li2) 

3.  (ue  ((u.lul)  (y.lnl))  posfacts) 

;  (NULL  FSTPOSITION  (U ,  N)  D-iMEMBER (N  ,U) )  A 
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; (HEMBERCN ,U)3»ATNUM(FSTP0SITI0H(U ,N) ) ) 

4.  (derive  |n<length  uinnull  istposition(u,n) I  (3  li2)) 

(label  li3) 

5.  (ue  ((m.lnl)  (n.  I  length  uD)  minusfactll 

(part  1  (use  less.lesseqsucc  mode:  exact))) 

;N><LENGTH  UDLENGTH  U-N’<LEHGTH  U 

6.  (derive  In’Slength  u3-inull  fstposition(u, length  u-n’)l  (5  li3)) 
(label  li4) 

7.  (trw  ln’<length  u3(length  u-n’) ’=length  u-nl 

(use  minuslactlO) 

(use  less.lesseqsucc  mode:  exact  direction:  reverse)) 
;!I’<LENGTH  UD(LENGTH  U-N’) ’“LENGTH  U-N 

8.  (ue  (a  lAn.nSlength  u31ength  (inversKu, length  u-n,n))=nl) 

prool_by  ..induction 

(open  inversl)  (use  succ^lesseq.lesseq)  (use  7)  (use  li4)) 
;VN.N<LENGTH  UDLENGTH  ( INTERS  1  (U, LENGTH  U-’K,N))=N 

9.  (ue  (n  I length  u!)  *  (open  lesseq)) 

; LENGTH  ( INTERS 1 (U.O , LENGTH  U))=LENGTH  U 

10.  (trw  [length  inverse (u)=length  ul  (open  inverse)  *  ) 

; LENGTH  ( INTERSE(U) )=LENGTH  U 

;deps:  (LIl) 

11.  (ci  lil) 

;PERM(U)DLENGTH  (INTENSE (U))=LENGTH  U 
(label  lengthinverse)  ■ 


30-3.  Compose. 


(prooi  nth_compose) 

1.  (ue  (phi  (Au.-inull(u)Adei_appl(v,u)3nth(v»u,0)=nth(v,nth(u,0))  1) 

list induct ion 

(part  1  (open  compose  nth  dei_appl  allp))  ) 

;VU.-iNULL  UADEF^APPL(T ,U) 3CAR  (T«U)=NTH(T ,CAR  U) 

(label  a_c_basel) 

2,  (ue  (phi3  I Au  n.del.appl(v,u)An<length(u)3nth(v«u,n)=nth(v,nth(u,n)) I) 

doubleinductionl 

(part  1  (open  compose  del^appl  allp))  a..c_basel) 

;VU  N.DEF..APPL(T,U)AN<LENGTH  UDNTH(T®U,N)=NTH(T  ,NTH(U,N)  ) 

(label  nth_compose)  ■ 


.30.4.  Compose  Permutation. 

Theorem  1  (i)  {Perm  Compose) 

VU  V.PERM(U)aPERM(V)aLENGTH  U=LENGTH  V3PERM(U®V) 
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(proof  perm^ compose) 

1 .  (assume  I  perm  u j ) 

(label  pci) 

2.  (assume  I  perm  v|) 

(label  pc2) 

3.  (assume  [length  u  =  length  v|) 

(label  pc3) 

4.  (rw  pc2  (open  perm  onto)) 

(label  pc4) 

; INTO (V) A (VN . N<LENGTH  VDMEMBER( N , V) ) 

;deps:  (PC2) 

5.  (ue  ((u.v)(v.u))  def_appl_condition  (open  lesseq)  pc3  pc4) 
;DEF.APPL(U,V) 

(label  pc5) 

;deps:  (PC2  PCS) 

6.  (ue  ((u.v)(w.u))  length_compose  pc5) 

; LENGTH  (U«V)=LENGTH  V 

(label  pc6) 

;deps:  (PC2  PCS) 

7.  (assume  |n<length(u»v) I ) 

(label  pc7) 

8.  (rH  ♦  (use  pc6  mode:  exact)) 

;N<LEMGTH  V 

(label  pc8) 

jdeps:  (PC2  PCS  PC7) 

9.  (rw  pc2  (open  perm  onto  into)) 

;(VN.M<LENGTH  VDNATNUH(NTH(V,N) )ANTH(V,N)<LENGTH  V)A 
;(VN.N<LENGTH  VDMEMBER(N , V) ) 

(label  pc9) 

;deps:  (PC2) 

10.  (derive  |natnum(nth(v ,n))Anth(v .n)<length  u I  (pc8  *) 

(use  pc3  mode:  exact)) 

(label  pclO) 

;deps:  (PC2  PCS  PC7) 

11.  (rw  pci  (open  perm  onto  into)) 

;(VN.N<LENGTH  UDNATNUM(NTH(U,N))ANTH(U,N)<LEMGTH  U)a 
;(VN.N<LENGTH  U0HEMBER(N ,U) ) 

(label  pell) 

;deps:  (PCI) 

12.  (ue  (n  lnth(v,n)|)  ♦  pclO) 

;NATNUM(NTH(U,NTH(V,N)))aNTH(U,NTH(V,N))<LEKGTH  UaMEMBER(NTH(V,H) ,U) 
(label  pcl2) 

;deps:  (PCI  PC2  PCS  PC7) 

13.  (derive  |nth(u*v,n)=nth(u,nth(v ,n)) 1  (nth_compose  pc5  pc8)) 

(label  pcl3) 

;deps:  (PC2  PC3  PC7) 

14.  (trw  jnatnum  nth(u«v ,n) Anth(u«v ,n)<length(u«v) I  pcl2 

(use  pels  pc6  mode:  exact) 

(use  pcS  mode:  exact  direction:  reverse)) 

;  NATNUM(NTH(U*V  , N)  )  ANTH (U«V  ,  NXLENGTH  (U^V) 

;deps:  (PCI  PC2  PC3  PC7) 
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;N<LENGTH  (U*V) 3HATNUM(NTH(U*V ,N)) aHTH(0*V .NXLEHGTH  (U*V) 

■deps :  (PCI  PC2  PC3) 

16.  (tm  |into(u»v)l  *  (open  into)  pc5) 

;INT0(U*V) 

(label  pc^into) 

;deps:  (PCI  PC2  PC3) 

;part  2 

17.  (rw  pc8  (use  pc3  mode:  exact  direction:  reverse)) 

;N<LENGTH  U 

(label  pc 20) 

;deps:  (PC2  PCS  PC7) 

; labels:  MEMBER.NTH 

;VU  Y.HEMBER(Y,U)3(3N.N<LENGTH  UANTH(U,N)=Y) 

18.  (deline  jv  |jv<length  u  A  nth(u,jv)=n!  (*  pell  member^nth)) 

(label  pc21) 

;JV  is  unknown. 

;the  symbol  JV  is  given  the  same  declaration  as  J 
•deps:  (PCI  PC2  PC3  PC7) 

19.  (derive  jjv<length  v|  *  (use  pc3  mode:  exact  direction:  reverse)) 
;deps:  (PCI  PC2  PC3  PC7) 

20.  (define  kv  |kv<length  v  A  nth(v ,kv)=j v I  (*  pc9  member.nth)) 

(label  pc22) 

;KV  is  unknown. 

;the  symbol  KV  is  given  the  same  declaration  as  K 
;deps:  (PCI  PC2  PC3  PC7) 

; labels:  NTH^COMPOSE 

;VV  U  N.DEF«APPL(V,U)AN<LENGTH  UDNTH(VeU,H)=KTH(V ,NTH(U,N)) 

21.  (ue  ((v.u)(u.v)(n.kv))  nth_compose  pc5 

(use  *  mode:  always) (use  pc21  mode;  always)) 

(label  pc23) 

;NTH(U^V,KV)=N 

;deps:  (PCI  PC2  PC3  PC7) 

22.  (derive  ! kv<length(uev) I  (pc22  pc6)) 

;deps:  (PCI  PC2  PCS  PC7) 

; labels:  NTHMEMBER 

;VU  N.N<LENGTH  UDMEHBER(NTH(U,N) ,U) 

23.  (trw  |member(nth(u«v,kv) ,u®v) I  (nthmember  pc5  *)) 

;MEMBER(NTH(U*V ,KV) ,UeV) 

;deps:  (PCI  PC2  PCS  PC7) 

24.  (rw  *  pc23) 

;MEMBER(N,U^V) 

;deps:  (PCI  PC2  PCS  PC7) 

25.  (ci  pc7) 

;N<LENGTH  (U^V) 0MEMBER(N ,UeV) 

;deps:  (PCI  PC2  PCS) 

(label  pc.onto) 

26.  (trw  |perm(u»v) I  (pc5  pc_into  pc_onto)  (open  perm  onto)) 
;PERM(UeV) 

;deps:  (PCI  PC2  PCS) 


234 

27. 

1. 

2. 

3. 

4. 

5. 

6. 

7. 

8. 

8.30.5. 

1. 

2. 

3. 

4. 

5. 


About  Permutations  in  Lisp  and  EKL 


(ci  (pci  pc2  pc3)) 

;PERM(U)aPERH(V)aLENGTH  U=LEKGTH  VDPERM(U#V)  ^ 

(label  perm_ compose)  ■ 

;Theorem  1  (ii)  (associativity  ol  composition) 

(prool  assoc^compose) 

(trw  |dei_appl(w,v)Adel_appl(v,u)3(w«v)^nil=w«(v«nil) I 
(open  compose)  sortcomp) 

(label  as3_comp_base) 

(ue  (phi  I Au.del_appl(w,v)Adel_appl(v ,u)3(w®v)#u=*w*(v^u)  I ) 
listinduction 

(part  1#2  (open  compose  del.appl  allp))  sortcomp  ass_comp_base 
(use  nth. compose  ue;  ((v.w)(u,v))  )  ) 

; VU . DEF.APPL (H , V) ADEF.APPL ( V ,U) 0 (y*V) ♦U=W^ ( V«U) 

(label  assoc.comp) 

(assume  |perm(v)Aperm(u)Alength(v)=length(u)Alength(u)=length(v) I ) 

(rw  *  (open  perm  onto)) 

;  INTO (V) A (VN . N<LEHGTH  U3MEMBER(N , V) ) A 
;  INTO (U) A (VN . N<LENGTH  03MEMBER(N ,U) ) A 
; LENGTH  V=LENGTH  UALEHGTH  W=LENGTH  U 

(ue  ((u.v)(v.h))  dei.appl.condition  *  (open  lesseq)) 

;DEF.APPL(H,V) 

(ue  ((u.u)(v.v))  del.appl.condition  -2  (open  lesseq)) 

;DEF.APPL(V,U) 

(derive  | (w«v)«u=h^(v^u) I  (assoc.comp  *  -2)) 

(ci  -5) 

;PERH(V)APERH(0)ALENGTH  V=LENGTH  UALENGTH  W=LENGTH  U3(W*V)«U=H*(V»U) 

(label  associativity.ol.composition)  ■ 


Identity. 


(proof  id.main) 

;id  main 

(assume  |n<m3nthcdr(ident(m) ,n)=identl(n,m-n) I ) 
(label  id.mainl) 

(assume  |n’<m|) 

(label  id.main2) 

(derive  !nthcdr(ident (m) ,n)=identl (n»m”n) ! 

(id.mainl  id.main2  succ.less.less) ) 

;deps:  (ID.MAINl  ID.MAIN2) 

(rw  *  (use  minuslactlO  mode:  exact)  (open  identl) 
(use  id.main2  succ.less.less  mode:  exact)) 

;  NTHCDR ( IDENT (M) , N ) *N . IDENTl (N  ^  M-N ’ ) 

;deps:  (ID.HAIHl  ID^MAIN2) 

(trw  |nthcdr(ident  m,nO  I 

(use  cdr.nthcdr  mode:  exact  direction:  reverse) 
(use  *  mode:  exact)) 

:NTHCDR(IDENT(H)  .N  0=IDENT1  (N^M-N  O 
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6.  (ci  id_inain2) 

;N’<M3NTHCDR(IDENT(M) ,N’)=IDEMT1(N’ 

7.  (ci  id.mainl) 

; ( H<M3NTHCDR ( IDENT (M) , N ) =IDENT1 (N , M-N ) ) D 
;(N><MDNTHCDR(IDENT(M),1J’)=IDEBT1(H’,M-H>)) 

8.  (ue  (a  lAn.n<m3nthcdr(ident(m),n)=identl(ii,m-n)l) 

prooi  induct  ion 

(part  1#1  (open  minus  ident))  *  ) 
;VN.N<MDNTHCDR(IDENT(M) ,N)=IDENT1(H ,M-N) 

(label  nthcdr_ident) 

9  (rw  *  (use  minuslactlO  mode:  exact)) 

;VN.N<M3NTHCDR(IDENT(M),N)  =  IDENTl(N,(M-NOO 

10.  (ue  ((u. I ident  m|)(n.n))  car^nthcdr  (use  *  mode:  always)) 
;N<H3N=NTH(IDENT(M) ,N) 

11.  (trw  |Vn  m.n<m3nth( ident  m,n)=n!  ♦  ) 

(label  id.main)  ■ 

(proof  perm_ident) 

;only  ontoness  requires  some  help 

1.  (assume  |n<length  ident(m)!) 

(label  prm_idl) 

2.  (rw  *  (open  ident)) 

;N<M 

(label  prm_id2) 

3.  (derive  Inth^ident(m) ,n)=nl  (*  id^main)) 

4.  (derive  | member (nth(ident  m,n)» ident  m) I 

(nthmember  prm^idl)  ) 

5.  (rw  *  (use  -2  mode:  exact)) 

;HEMBER(N,IDENT(M)) 

6.  (ci  prm^idl) 

;N<M3MEMBER(N,IDENT(M)) 

7.  (trw  |Vn.perm(ident  n) I  (open  perm  into  onto) 

(use  id_main  mode:  always)  *  ) 

;VN.PERH(IDENT(N)) 

(label  perm_ident)  ■ 


8.30.6.  Right  Identity. 


(proof  ident ity_right) 

1.  (rw  perm^id  (open  perm  onto)) 

; VN . INTO ( IDENT (N) ) A (VN 1 . N1 <N3MEMBER (N 1 , IDENT(N ) ) ) 

; labels:  DEF  APPL.CONDITION 

;VU  V.INTO(U)ALENGTH  U<LENGTH  V3DEF_APPL (V ,U) 

2.  (ue  ( (u. I ident (length  u)l)(v.u)) 

def^appl^condition  *  (open  lesseq)) 
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;DEF_APPL(U.IDENT(LEBGTH  U)) 

; labels:  NTH.COHPOSE  * 

:VV  U  N.DEF.APPL(V,U)AN<LENGTH  03NTH(V«U,N)=NTH(V,NTH(U,N)) 

3.  (ue  ( (u. 1 ident (length  u) | ) (v .u) (n.n))  nth^compose  * 

(use  id^main  mode:  exact)) 

;N<LENGTH  UDNTH(U«IDENT(LENGTH  U)  ,N)=NTH(U,  N) 

; labels:  EXTENSIONALITY 

;VU  V. LENGTH  U= LENGTH  VA (VI . KLENGTH  U3APPL(U, I)=APPL(V , I) ) DU=V 

4.  (ue  ((u, lu^ident (length  u)l)(v.u))  extensionality  (open  appl) 

(use  length_compose  -2 
;U«IDENT(LENGTH  U)=U 
(label  identity.right )  ■ 


8.30.7.  Left  Identity. 


(prool  identity. left) 

1.  (assume  linto  ul) 

(label  il.l) 

2.  (ue  ((u.u)(v.  lidentdength  u)l)) 

del. appl .condition 
♦  (open  lesseq)) 

;DEF.APPL(IDENT(LENGTH  U) ,U) 

(label  il.2) 

3.  (rw  il.l  (open  into)) 

;VN.N<LENGTH  U3NATMUM(NTH(U ,N) ) ANTH(U,N)<LENGTH  U 

4.  (ue  ((v. I ident (length  u)l)(u.u))  nth.compose  il.2  ♦ 

(use  id.main  ue  :  (  (n .  lnth(u ,n)  I  )  (m.  |  length  uD)  )) 
;VN.N<LENGTH  U3NTH( IDENT (LENGTH  U)#U,N)=NTH(U,N) 

5.  (ue  ((u.  lidentdength  u)®u|  )(v.u))  extensionality 

(sortcomp  il.2  length. compose  ♦)  (open  appl)) 
;IDENT(LENGTH  U)«U=U 

6.  (ci  il.l) 

;  INTO (U) 3 IDENT (LENGTH  U)®U=U 
(label  identity.lelt)  ■ 


8.30.8.  Inverse. 


(prool  inverse. main) 

1 .  (assume  I  perm  u 1 ) 

(label  inv.mainl) 

;checK  that  Istposition  has  the  proper  value  on  the  intended  domain 

2.  (rw  inv.mainl  (open  perm  onto)) 

; INTO (U) A ( VM . N<LENGTH  U3MEMBER( N ,U) ) 

(label  inv.main2) 
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3.  (ue  ( (u.u) (y .n) )  poslacts) 

/  ;(NULL  FSTPOSITION(U,N)D-iMEMBER(N,U))A 

;  (MEMBER(N,U)3NATNUM(FSTP0SITI0N(U,N))) 

4.  (derive  |n<length  u3nnull  Istposit ion(u,n) I  (inv_main2  *)) 

(label  inv_main3) 

^  ;prove  by  induction  a  sublemma: 

5.  (assume  ln<length  uD 

nthcdr(inverse(u) ,n)=inversl (u,n, length  u-n)l) 

(label  inv_main5) 

6.  (assume  |n^<length  ul) 

(label  inv_main6) 

7.  (derive  |n<length  u|  (*  succ_less_less)) 

(label  inv^mainT) 

8.  (derive  Imull  istposition(u,n)  I  (inv.mainS  inv.main?)) 

(label  inv_main9) 

9.  (rw  inv_main5 

(use  inv_main7  inv_main9)(open  inversl) 

(use  minusfactlO  mode:  always)) 

(label  inv_mainlO) 

; NTHCDR ( INVERSE (U) , N ) =FSTPOS ITI ON (U , N ) . I NVERS 1 (U , N  > , LENGTH  U-N  O 
;deps:  (INV.MAINl  INV,MAIN5  INV.MAIN6) 

; labels:  CDR.NTHCDR 

;VU  N.CDR  NTHCDR (U, N) =NTHCDR (U, N O 

10.  (ue  ((u.l inverse  ul)(n.n))  cdr_nthcdr  (use  *  mode:  exact)) 

;INVERS1(U,N ’.LENGTH  U-N  ’  )=NTHCDR(  INVERSE  (U)  ,NO 

;deps:  (INV.MAINl  INV_MAIN5  IMV_MAIN6) 

11.  (ci  inv.maine) 

;N’<LENGTH  U3INVERS1 (U, N ’ .LENGTH  U-N ’ )=NTHCDR( INVERSE (U) .N ’ ) 

12.  (ci  inv^mainS) 

13.  (ue  (a  ! An.n<length  u3nthcdr(inverse(u) ,n)=inversl(u,n,length  u-n) I ) 

proof _by_induction  (part  1#1  (open  inverse  minus))  *  ) 
;VN.N<LENGTh’’udNTHCDR(INVERSE(U)  ,N)=INVERS1  (U, N .LENGTH  U-N) 

;deps:  (INV.MAINl) 

;from  this  the  main  lemma  follows: 

14.  (rw  ♦  (use  minusfactlO  mode:  exact)  (open  inversl) 

(use  inv_main3  mode:  always)) 

;VN.N<LENGTH  UD 

;NTHCDR(INVERSE(U)  .H)=FSTPOSITION(U,N) . INVERSl (U.N’ .LENGTH  U-H’) 

:deps:  (INV.MAINl) 

; labels:  CAR.HTHCDR 

m  ;VU  N.N<LENGTH  U3CAR  NTHCDR (U,H)=NTH(U,N) 

15.  (ue  ( (u. I inverseCu) I ) (n .n))  car_nthcdr 

(use  *  lengthinverse  inv.mainl  mode:  alsays)) 

;N<LENGTH  UDFSTPOSITIQN(U,N)=NTH(INVERSE(U) ,N) 

Ideps:  (INV.HAINl) 

16.  (ci  inv_mainl) 

;PERM(U)3(N<LENGTH  U3FSTP0SITI0N(U ,N)=NTH (INVERSE(U) .N)) 

17.  (derive  |Vu  n.perm  uAn<length  u3nth(inverse  u,n)=fstposition(u,n) I  *  ) 
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(label  inv^main)  ■ 


Inverse  Permutation. 


(prool  inverse_perm) 

(assume  Iperm(u)i) 

(label  inv_pl) 

(rs  ♦  (open  perm  onto)) 

;  INTO  (IT)  A  (  VN .  N<LENGTH  U3HEMBER  (  N  ,U)  ) 

(label  inv.p2) 

(ue  ((u.u)(y.n))  poslacts) 

; (NULL  FSTPOSITION (U , N) DnMEMBER (N , U) ) A 
;  (MEMBER(H  ,U) DNATNUM (FSTPOS ITION (U , N)  )  ) 

(derive  |Vn.n<length  uD 

natnum  lstposition(u,n)Al stposition(u,n) <length  ul 
(inv_p2  *  pos^length)) 

(label  inv_p3) 

(derive  |Vn.n<length  u3 

nthdnverse  u ,n)=lstposition(u,n)  ! 

(inv_main  inv^pD) 

(label  inv_p4) 

(rw  inv_p3  (use  ♦  mode:  always  direction:  reverse)) 

;VN.N<LENGTH  U3NATNUM(NTH(INVERSE(U) ,N)) ANTH(INVERSE(U) ,N)<LENGTH  U 

(trw  linto  inverse (u) I  * 

(open  into)  (use  lengthinverse  inv.pl  mode:  exact)) 

; INTO ( INVERSE (U)) 

(label  into_inverse) 

(ci  inv.pl) 

; PERM (U) D INTO ( INVERSE (U) ) 

(label  inv.into) 

(rw  inv^pl  (open  perm  into  onto)  ) 

;(VN.N<LENGTH  U3NATNUM(NTH(U,N) )ANTH(U,N)<LENGTH  U)a 
;(VN.N<LENGTH  UDMEMBER(N .U) ) 

(label  inv_pl0) 

(derive  I  length  inverse (u)=length  u|  (inv^pl  lengthinverse)) 

(label  inv^pll) 

(assume  |n<length  inverse(u)  I ) 

(label  inv.pl2) 

(rw  *  (use  inv.pl 1  mode:  exact)) 

;N<LENGTH  U 
(label  inv_pl3) 

;apply  the  main  property  of  the  inverse  tunction... 

(ue  (n  |nth(u,n)|)  inv.p4  (use  inv.plO  *  mode:  always)) 

;  NTH ( INVERSE (U) , NTH (U , N) ) =FSTP0SIT ION (U , NTH (U , N ) ) 

(label  inv_pl4) 


;...the  consequence  of  the  Pigeon  Hole  principle... 
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14.  (derive  linj  ul  (inv.pl  perm.injectivity)) 

;...the  basic  iact  Istposition  nth  ... 

15.  (derive  |istposition(u,nth(u,n) )=n I 

(istposition.nth  uniqueness.injectivity  *  inv.plO  inv_pl3)) 

16.  (rw  inv_pl4  (use  *)) 

; NTH ( INVERSE (U) ,NTH(U,N))=N 
(label  inv.plS) 

; . . .and  the  lemma  nthmember ... 

17.  (derive  Inatnum  nth(u,n) Anth(u,n)<length  inverse(u)l 

(inv.plO  inv.pll  inv.plS)) 

18.  (trw  |member(nth(inverse  u,nth(u,n)) , inverse  u) I 

(nthmember  *)) 

; MEMBER ( NTH ( IN VERSE (U) , NTH (U , N) ) , I N VERSE (U) ) 

; . . .to  conclude : 

19.  (rw  *  (use  inv_pl5)) 

;MEMBER(N , INVERSE(U) ) 

;deps:  (INV.Pl  INV.P12) 

20.  (ci  inv  pl2) 

; N<LENGTH  ( I NVERSE (U) ) DMEMBER ( N , IN VERSE (U) ) 

(label  onto.inverse) 

21.  (trw  Ipermdnverse  u)  I  (open  perm  onto) 

into. inverse  onto.inverse) 

;PERM(INVERSE(U)) 

22.  (ci  inv.pl) 

;PERM (U) 3PERH( INVERSE (U) ) 

(label  perm.inverse)  ■ 


8.30.10.  Right  Inverse. 

Theorem  3.  (ii)  [Right  Inverse) 

VU. PERM(U) 3U®INVERSE(U) =IDENT (LENGTH (U) ) 

Proof.  We  aim  at  an  application  of  extensionality  (line  12).  From  line  8  on.  we  follow  the 
proof  given  in  Section  6.6.2,  since  all  the  facts  assumed  there  as  definitions  have  been  proved  here 
as  properties  of  our  functions. 

The  additional  fact  to  be  proved  here  is  that  u  is  defined  as  an  application  on  inverse  (u)  as 
domain.  This  follows  from  the  fact  that  inverse(u)  is  into  (line  5)  and  has  the  same  length  as  u 
(line  3). 


A 
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(prool  compose^inverse^right) 

1.  (assume  I  perm  u 1 ) (label  cirl) 

2.  (rs  cirl  (open  perm  onto)) 

; INTO (U) A (VN . N<LENGTH  U3HEMBER(N ,U) ) 

(label  cir2) 

; labels:  LENGTHINVERSE 
;PERM(U)DLENGTH  ( INVERSE (U) )=LENGTH  U 

3.  (derive  I  length  inverse(u)=length  ul  (cirl  lengthinverse) ) 

(label  cir3) 

; labels:  PERM.INVERSE 
; PERM (U) DPERM( INVERSE (U) ) 

4.  (derive  Iperm  inverse (u) I (perm^inverse  cirl)) 

5.  (rw  *  (open  perm  onto)) 

; INTO (INVERSE(U) ) A (VN . N<LENGTH  (INVERSE(U) ) DMEMBER(N , INVERSE(U) ) ) 

; labels:  DEF.APPL.CONDITION 

;VU  V.INTO(U)ALENGTH  U<LENGTH  V3DEF_APPL(V .U) 

6.  (ue  ((v.u)(u.  [inverse  uD) 

del_appl_condition 
(cir3  ♦)  (open  lesseq)) 

; DEF_ APPL (U , INVERSE(U) ) 

(label  cir4) 

; labels:  LENGTH.COMPOSE 

;VW  U.DEF_APPL(W,U)3LENGTH  (W#U)=LENGTH  U 

7.  (trw  |length(u^inverse(u) )=length  identdength  u)  1 

(use  length_compose  ue  :  ( (w .u) (u .  j inverse  uD)  cir4  mode:  always) 
(use  cir3)) 

:LENGTH  (U®INVERSE(U))=LENGTH  (IDENT(LENGTH  U)) 

(label  cir5) 

we  can  apply  Nth  Compose... 

; labels:  NTH^COMPOSE 

;VV  U  N.DEF_APPL(V,U)AN<LENGTH  U3NTH(V«U,N)=NTH(V ,NTH(U,N)) 

8.  (ue  ((v,u)(u, [inverse  uj)) 

nth.coupose  cir4  cir3) 

:VB.»<LENGTH  UDNTH(0*HiVERSE(U) ,B)=HTH(U,NTH(IBVERSE(U) ,N)) 


...Main  Inc... 

; labels:  INV^MAIN 

;VU  N.PERM(U)AN<LENGTH  U3NTH(INVERSE(U) ,N)=FSTP0SITI0N(U,N) 

9.  (th  ♦  (use  inv.main  cirl  mode:  always)) 

;V».B<LENGTH  UDBTH(U*IBVERSE(U) ,B)=NTH(U,FSTPOSITIOB(U,N) ) 


...Nt!)  Fstposition... 

; labels:  NTH.FSTPOSITION 

;VU  N.r4EMBER(N,U)3NTH(U,FSTPOSITION(U,N))=N 

10.  (rw  »  (use  nth.lstposition  cir2  mode:  always)) 
;VB.B<LEBGTH  UiBTH(U*INVERSE(U) ,B)=B 
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...to  conclude,  using  Main  Id: 

; labels:  ID_.MAIN 

;VM  N.N<M3NTH(IDENT(M) .N)=N 

11.  (trw  |Vn.n<length  u3nth(u«inverse(u) ,n)=nth(ident (length  u) ,n) 1 

(use  *  mode:  always) 

(use  id_main  ue:  ((m. (length  u|)(n.n))  mode:  always)) 
;VN.N<LENGTH  UDNTH(U«INVERSE(U) ,N)=NTH(IDENT(LENGTH  U),N) 

(label  cir6) 

; labels:  EXTENSIONALITY 

;Va  V. LENGTH  U=LENGTH  VA(VI . KLENGTH  U3APPL(U, I)=APPL(V,I))3U=V 

12.  (ue  ( (u. |u*inverse(u) I ) (v. I ident (length  u)|)) 

extensionality  cir6 

(use  cir5  mode:  always) (use  sortcomp  cir4  mode:  always)) 
;U*INVERSE(U)=IDENT(LENGTH  U) 

13.  (ci  cirl) 

; PERM (U) INVERSE (U) =IDENT (LENGTH  U) 

(label  inverse^right)  ■ 


8.30.1 1,  Left  Inverse. 


Theorem  3.  (iii)  {Left  Inverse) 

VU. PERM (U)0 IN VERSE  U®U=IDENT (LENGTH  U) 

Proof.  Again  we  follow  closely  the  pattern  of  Section  6.6.3. 

(proot  compose.inverse^lett) 

1 .  (assume  Iperm  u | ) 

(label  cill) 

2.  (derive  1  length  inverse(u)=length  u|  (lengthinverse  ♦)) 
(label  cil2) 

3.  (rw  cill  (open  perm  onto)) 

; INTO (U) A (VN . N<LENGTH  U3MEMBER (N ,U) ) 

(label  cil3) 

;labels:  DEF_APPL_C0NDITI0M 

;VU  V,INTO(U)ALENGTH  U<LENGTH  VDDEF_APPL(V,U) 

4.  (ue  ((v. (inverse  ul)(u.u))  det^appl.condition 

cil2  cil3  (open  lesseq) 

(use  perm.inverse  cill)) 

;DEF_APPL(INVERSE(U) ,U) 

(label  cil4) 

5.  (trw  llistp  inverse(u)^u 1  (cil4  sortcomp)) 

;LISTP  INVERSE (U)^U 

(label  cilsort) 

6.  (derive  | length(inv€rse(u)«u)=length  ident (length  u) I 

(cil4  length_compose)) 

(label  cil5) 

7.  (assume  |n<length  uj) (label  cil6) 
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Use  the  lemma  Nth  Compose,,. 

; labels:  NTH^COMPOSE 

;VV  U  N.DEF.APPL(V,U)AN<LENGTH  UDNTH(V»U,N)=NTH(V .NTH(U,N)) 

8.  (ue  ((v. I  inverse  u| ) (u.u) (n.n))  nth.compose  cil4  cil6) 

; NTH ( INVERSE (U) •U , N ) =NTH ( INVERSE (U) , NTH (U , N ) ) 

(label  cil7) 

...the  main  property  of  inverse.,, 

9.  (rw  cil3  (open  into)) 

;(VN.N<LENGTH  UDNATKUM(NTH(U,N) ) ANTH(U,H)<LENGTH  U)A 
;  (VN . N<LENGTH  UDHEMBER(N ,U) ) 

(label  cil8) 

; labels:  INV.MAIN 

;VU  N.PERM(U)AN<LENGTH  UDNTH(INVERSE(U)  ,H)='FSTPOSITIOH(U,N) 

10.  (ue  ((u.u)(n. |nth(u,n) I))  inv.main  (use  cill  cil6  cil8  mode:  always)) 
; NTH ( INVERSE (U)  . NTH (tJ , N )  )  =FSTP0SITI0N  (U , NTH (U ,  H)  ) 

(label  cil9) 

...a  consequence  of  the  Pigeon  Hole  principle... 

11.  (derive  | in j  ul  (perm.inj activity  cill)) 

(label  cillO) 

...the  lemma  Fstposition  Nth,., 

;labels:  FSTPOSITION.NTH 

;VU  N.UNIQUENESS(U)AN<LENGTH  UDFSTP0SITI0N(U,NTH(U.N) )=N 

12.  (derive  |istposition(u»nth(u,n))=nl 

(Istposition^nth  uniqueness.inj activity  cillO  cil6)) 

13.  (rw  cil9  (use  *)) 

;  NTH ( INVERSE (U) , NTH (U , N) ) =N 

...and  the  main  property  of  ident  to  conclude: 

; labels:  ID.MAIN 

;VH  N.N<MDNTH(IDENT(M).N)=N 

14.  (trw  |nth(inverse(u)*u,n)=nth(ident(length  u) ,n) I 

(use  cil6  cil7  *  mode:  always) 

(use  id^main  ue:  ((m.| length  ul)(n.n))  cil6  mode:  always)) 

; NTH ( INVERSE (U)#U,N)=NTH( IDENT (LENGTH  U) .N) 

15.  (ci  cil6) 

;N<LENGTH  UDNTH (INVERSE (U)»U,N)=NTH(IDENT(LENGTH  U) ,N) 

Therefore: 

;labels:  EXTENSIONALITY 

;VU  V. LENGTH  U=LENGTH  VA(VI . KLENGTH  UDAPPL(U, I)=APPL(V, I))3U=V 

16.  (ue  ((u.  I inverse(u)*ul ) (v.  I  identdength  u)  I )) 

extensionality 
cil5  *  (open  appD) 

;INVERSE(U)«U=IDENT (LENGTH  U) 

;deps:  (CILl) 

17.  (ci  cill) 

;PERM(U)DINVERSE(U)#U=IDENT(LENGTH  U) 

(label  inverse.lelt)  ■ 
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9.1.  Index  of  Examples. 

) 

Example  1:  Use  of  the  rewriter  NORMAL.  Section2.i. 

Proof:  transitivity  of  <. 

VN  M  K. N<MAM<K3N<K 

Example  2:  Default  declarations  and  previous  declarations,  Section  2.4. 

Declaration  of  the  symbol  xv. 

Example  3:  Rewriting  using  only  simpinfo.  Section  2.6. 

Proof:  Sexp  Nth. 

VU  N.SEXP  NTH(U,N) 

Example  4:  How  the  rewriting  process  reflects  an  informal  argument,  Section  2.9. 

Proof:  Fsiposition  Nth 

VU  N. UNIQUENESS (U)aN<LENGTH  U3FSTP0SITI0N(U,NTH(U,N) )=N 

Example  5.  Abbreviation  of  proofs  by  rewriting.  How  the  rewriter  Trans  Condh  determined 
in  a  "trial  and  error’  interaction.  Section  7. 

Proof:  Lemma  2.10  Mult  Nthcdr, 

VN  A  U.N<LENGTH  UDMULT(NTHCDR(U, N) , A) <MULT(U, A) 

Example  6:  Predicate  all.  Definition  by  recursion  and  explicit  definitions.  Heuristics. 

Section  4.1. 

Proof:  Picjeonfacl 

VF. (VN.NATNUM(F(N)))3 

(VN. (VM.M<ND1<F(M))aSUM(AK.F(K),N)=N3(VM.M<N31=F(M))) 

Example  7:  Predicate  somep.  Efficiency  of  rewriting.  Definition  by  recursion  and  explicit 
definitions.  Section  5.2. 

Proof:  Nonempty  Ranye 

VALIST  X.MEMBER(X,DOM  ALIST)D 

(3Y.MEMBER(Y, RANGE  ALIST) AAPPALIST(X , ALIST)=Y) 

Example  8:  Heuristics  of  a  proof.  Section  6.3.4. 

Proof:  Lemma  6.3.  Lengthinverse 

VU.PERM(U)3LENGTH  (INVERSE (U) )=LENGTH  U 

Example  9:  Use  of  general  lemmata  and  efficiency.  Section  6.5.4. 

Proof:  Theorem  2  (ii)  (Right  Identity) 

VU.U®IDENT (LENGTH  U)=U 

Example  10:  Discussion  of  the  formalization  of  an  informal  argument.  Section  7. 

Proof:  Every  surjectiov  of  JUntc  sets  of  the  same  cardinality  is  an  injection. 


10.  Index  of  SIMPINFO. 


The  following  lines  are  labeled  simpinfo  in  some  proof.  They  are  available  to  EKL  in  the 
execution  of  all  proofs  that  use  the  proof  in  question  by  the  command  get-proofs  (see  the  graph 
of  file  dependency  at  the  beginning  of  the  Appendix). 

Simpinfo  from  file  LISPAX 
proof  LISPAX 

13.  VXA.SEXP  XA 

14.  VU.SEXP  U 

15.  VX  U.LISTP  X.U 

16.  VU.nNULL  U3LISTP  CDR  U 

17.  VU.-.NULL  U3SEXP  CAR  U 

18.  VX.-iATOM  X3SEXP  CAR  X 

19.  VX.-iATOM  XDSEXP  CDR  X 

20.  VX  Y.SEXP  X.Y 

21.  VX  Y.nATOM  X.Y 

22.  VX  U.-iNULL  X.U 

23.  VU.NULL  UDU=NIL 

24.  VX  Y.CAR  (X.Y)=X 

25.  VX  Y.CDR  (X.Y)=Y 

26.  CAR  NIL=NIL 

27.  CDR  NIL^SIL 

28.  VU.-iNULL  UOCAR  U.CDR  U=U 

; labels:  SIMPINFO  CONS^CAR.CDR 

29.  VX.nATOM  XDCAR  X.CDR  X=X 

43.  LIST(())=NIL 

44.  VLST.LISTP  LIST(LST) 

;labels:  SIMPINFO  LISTDEF 

45.  VX  LST.LIST(X,LST)=X.LIST(LST) 

; labels:  SIMPINFO  APPENDEF 

47.  VX  U  V.NIL*V=VAX.U*V=X. (U*V) 

; labels:  SIMPINFO  LISTAPPEND 

48.  VU  V.LISTP  U*V 

49.  VU.U*NIL=U 

50.  VX  V.X.NIL*V=X.V 


56.  VALIST.LISTP  ALIST 
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; labels:  SIMP INFO  ALISTDEF 

58.  VXA  Y  ALIST.ALISTP  NILAALISTP  (XA.Y).ALIST 
61.  VX  ALIST.SEXP  ASSOCCX ,ALIST) 

66.  VU.SEXP  CAR  U 

67.  VU.LISTP  CDR  U 

Simpinfo  from  file  SET 
proof  SETS 

3.  VX.URELEHENT  X 

4.  VXV.SEXP(XV) 

Simpinfo  from  file  NATNUM 
proof  NATNUM 

10.  VN.NATNUKCNO 

; labels:  SIMPINFO  PRED.DEF 

19.  VN.PRED(NO=N 

20.  VN.NATNTJM(PRED(N)) 

; labels:  SIMPINFO  PLUSFACTS  PLUSDEF 

21.  VN  K.O+Ns'HAK'+N^CK+N)' 

22.  VN  M.NATNUMCN+M) 

; labels:  SIMPINFO  PLUSFACTS 

23.  VN.N+0=N 

;labels:  SIMPINFO  PLUSFACTS  PLUSDEFl 

24.  VN.1+N=NMN+1=N’ 

; labels:  SIMPINFO  PLUSFACTS 

25.  VN  K.N+K»=(N+K)» 

;labels:  SIMPINFO  SUCCFACTS  ZER0_N0T_SUCCESS0R 
17.  VN.nN»=0 

; labels:  SIMPINFO  ZEROLEASTl 
9.  VN.*iN<0 

;labels:  SIMPINFO  SUCCFACTS  SUCCESSORLESS 

13.  VN  H.N»<M’5N<H 

; labels:  SIMPINFO  SUCCFACTS  SUCCESSOREQ 

14.  VN  M.N»=M'5N=M 

; labels:  SIMPINFO  SUCCFACTS  ZER0LEAST3 
16.  VN.0<N' 
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Simpinfo  from  file  MINUS 
proof  LESSEQ 

1.  VB.nN=H’ 

; labels :  SIMPIHFO  SUCCESSORFACTS  SUCCESSORLESSEQ 
4.  VN  M.II’<H’sN<M 

: labels:  SIMPIHFO  ZER0_N0H_LESS_SUCCESS0R 
9.  VN  H.H’<H3nM=0 

proof  MINUS 

; labels:  SIMPIHFO  MIHUS.SORT 
3.  VH  K.HATHUM(K-H) 

; labels:  SIMPIHFO  H.LESS.H 
9.  VH.H-H=0 


Simpinfo  from  file  LENGTH 
proof  LENGTH 

; labels:  SIMPIHFO  tEHGTHDEF 

2.  VO  X.LEHGTH  HIL=OALEHGTH  (X.O)=LEHGTH  O’ 

3.  VU.HATHOMCLEHGTH  0) 

4.  VU.LEHGTH  O=0sHOLL  0 

: labels:  SipiHFO  LEHGTHADD 

5.  VU  V.LEfiGiTH  (U*V)=LEHGTH  0+LEHGTH  V 

6.  VX.LEHGTH  (X.NIL)=1 

; labels:  SIMPIHFO  HAVE.HEMBER 

8.  VU  Y.MEHBER(Y,U)DO<LEHGTH  U 

; labels:  SIMPINFO  HAVE.HEMBER! 

9.  VU  Y. MEMBER! Y,U)D-.NULL  U 

Simpinfo  from  file  NTH 
proof  LISPAX 

69.  VN.nHULL  H 


70.  VH.SEXP  H 
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proof  NTH 

: labels:  SIMPINFO  NTHDEF 

2.  VX  U  M.IITHOIIL,M)=NILANTH(0,O)=CAR  UANTH(X.U,N’)=NTH(U,K) 

; labels:  SIMPINFO  SEXP.NTH 

3.  VU  N.SEXP  NTH(U,N) 


proof  NTHCDR 

; labels:  SIMPINFO  DEF 

2.  VX  0  N.NTHCDR(NIL,N)=NILaNTHCDR(U,0)=UAI»THCDR(I.O,N')=MTHCDR(U,N) 

3.  VU  N.LISTP  NTHCDR(U,H) 


proof  FSTPOSITION 

; labels:  SIMPINFO  POSFACTS 

3.  VU  Y. (NULL  FSTP0SITI0N(U,Y)3nMEMBER(Y,U))A 

(MEMBER (Y ,U) DNATNUM ( FSTPOSITION (U ,  Y) ) ) A 

(NULL  FSTPOSITION(U,Y)VNATNUM(FSTPOSITIOH(U,Y))) 

; labels:  SIMPINFO  SORTPOS 

4.  VU  Y.SEXP  FSTP0SITI0N(U,Y) 

Simpinfo  from  file  APPL 
proof  ALISTFACTS 

; labels:  SIMPINFO  DOMSORT 

1.  VALIST.LISTP  DOM(ALIST) 

: labels:  SIMPINFO  RANGES ORT 

2.  VALIST.LISTP  RANGE(ALIST) 

: labels;  SIMPINFO  APPALISTSORT 

5.  VALIST  Y.SEXP  APPALIST(Y ,ALIST) 


proof  APPL 

;labels:  SIMPINFO  APPLFACTS 

3.  VU  I.KLENGTH  UDSEXP  APPL(U,  I)aMEMBER(APPL(U,I)  ,U) 


Simpinfo  from  file  MULT 
proof  MULTIPLICITY 

; labels:  SIMPINFO  MULTFACT 
3.  VO  A.NATNOH(MOLT(U,A)) 

; labels:  SIMPINFO  EMPTYFACTS 
7.  VU.MaLT(U,EHPTYSET)=0 


Simpinfo  from  file  ASSOC 
proof  ALISTFACTS 

: labels:  SIMPINFO  COMPALISTSORT 

11.  VALIST  ALISTl.ALISTP  ALIST  m  ALISTl 
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Simpinfo  from  file  PERMF 
proof  PERMFACTS 

; labels:  SIMPIHFO  SORTCOMP 

2.  VV  U.DEF_APPL(V,U)3LISTP  V«U 

3.  VV  U.ALLP{AX.NATNUM(X)AX<LENGTH  V,U)3LISTP  V»U 

4.  VB  N.LISTP  IDENTKH.H) 

5.  VH.LISTP  IDENT(N) 

6.  VU  N  I.LISTP  INVERSl(U.I.N) 

7.  VU.LISTP  IHVERSE(U) 

; labels:  SIMPIBFO  IDENT.LENGTH 

9.  VN  H. LENGTH  (IDENTl (M.H) )=N 

10.  VN. LENGTH  (IDEHT(N))=N 
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1.  Index  of  Definitions. 


Definitions  from  file  LISPAX 
proof  LISPAX 

;labels:  LISTIHDUCTIOBDEF 
34.  VDF  HILCASE  DEF. 

(3FUN.(VPARS  X  U.FUN(HIL,PARS)=BILCASE(PARS) A 

FUN(X.U,PARS)=DEF(X,U,FaN(U,DF(X, PARS)), PARS))) 
;labels:  SEXPIMDUCTIONDEF 
36.  VATOMCASE  DEFSEXP  DFl  DF2. 

(3FUN. 

(VPARS  X  Y  Z.CATOM  ZD  FHH(Z,PARS)=ATOMCASE(Z,PARS))A 
FUN(X.Y,PARS)= 

DEFSEXP(X, Y.FBHCX, DFl (X.Y, PARS)), 

FU»(Y,DF2(X,Y, PARS)), PARS))) 

;labels:  HIGH.ORDER.DEFIHITION 
40.  VBIGFUS  ATOM.FUN. 

(3DEFIHED_FUH . (VX  Y.CATOM  XDDEFIHED_FaH(X)=ATOH.FOTI(X))A 
DEFIIIED.FUH(X.Y)  = 

BIGFUBCX  ,Y  ,DEFIHED_FTJH(X) , 
DEFIHED.FOHCY)))) 

;labels:  SIMPIBFO  LISTDEF 

45.  VX  LST.LIST(X,LST)=X.LIST(LST) 

;labels:  SIHPIHFO  APPEBDEF 
47.  VX  U  V.HIL*V=VAX.U*V=X.(U*V) 

: labels:  ALLPDEF 

52.  VPHI  X  U.ALLP(PHI,HIL)A 

ALLP(PHI,X.U)  =  (IF  PHKX)  THEB  ALLP(PHI,U)  ELSE  FALSE) 

; labels:  SOMEPDEF 

53.  VPHI  X  U.nSOMEP(PHI,HIL)A 

SOHEP(PHI,X.U)  =  (IF  PHKX)  THEN  TRUE  ELSE  SOMEP(PHI,U)) 

: labels:  MAPCARDEF 

54.  VFB  X  U.HAPCAR(FH,HIL)=HILAMAPCAR(FH,X.U)=FH(X).HAPCAR(FB,U) 

: labels:  ALISTDEF 

57.  VALIST.-iHULL  ALISTD 

^ATOM  CAR  ALISTAATOH  CAR  (CAR  ALIST) AALISTP  CDR  ALIST 
:labels:  SIMPIBFO  ALISTDEF 

58.  VXA  Y  ALIST.  ALISTP  MIL  A  ALISTP  (XA.Y). ALIST 
; labels:  ASSOCDEF 

60.  VX  XA  Y  ALIST. ASS0C(X,BIL)=BILA 

ASSOC(X, (XA.Y) .ALIST)= 

(IF  X=XA  THEB  XA.Y  ELSE  ASSOC(X, ALIST) ) 

; labels:  HEHBERDEF 

63.  VX  Y  U.-iHEMBER(X,MIL)AMEHBER(X,Y.U)=(X=YVMEMBER(X,U)) 

: labels:  UBIQUEKESSDEF 

65.  VU  X.UBIQUEHESS(BIL)A(UHiqDEHESS(X.U)s-iMEHBER(X,0)AUHIQDEBESS(U)) 
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Definitions  from  file  SET 
proof  SETS 

: labels:  EPSILONDEF 
6.  VAV  XV.XV€AV=AV(XV) 


; labels:  INTERDEF 

9.  VAV  BV.AVnBV=(AXV.AV(XV)ABV(XV)) 


; labels:  UKIQBDEF 

11.  VAV  BV.AVUBV=(AXV.AV(XV)VBV(XV)) 

; labels:  INCLOSIONDEF 

13.  VAV  BV.AVCBVH(VXV.AV(XV)3BV(XV)) 

; labels:  EMPTTSETDEF 

14.  EMPTYSET=(AXV. FALSE) 


;EHPTYP: 

15.  VAV.EMPTYP(AV)=(VXV.-.AV(XV)) 

; labels:  MKSET.DEF 

17.  VXV.MKSET(XV)=(AYV.YV=XV) 

; labels:  MKLSETDEF 

19.  VU.MKLSET(U)=(AX.HEMBER(X,U)) 

Definitions  from  file  NATNUM 
proof  NATNUM 

; labels:  SIMPINFO  PRED.DEF 
19.  VN.PRED(H’)=N 

; labels:  SIHPIUFO  PLUSFACTS  PLUSDEF 
21.  VN  K.0+N=HaK’+H=(K+H)’ 

; labels:  SIMPINFO  PLUSFACTS  PLUSDEFl 
24.  VN.1+N=N’AN+1=N’ 

; labels:  TIHESFACTS 

30.  VN  K. 0*N=0AN'*K=N*K+K 

Definitions  from  fi’e  MINUS 
proof  LESSEQ 

; labels:  LESSEQDEF 
3.  VM  N.M<N=(M=NVM<N) 


proof  MINUS 

: labels:  HIHUSDEF 

^  2.  VM  N.M-0=MAM-N’=PRED(M-N) 


Definitions  from  file  LENGTH 
proof  LENGTH 

; labels:  SIMPINFO  LENGTHDEF 

2.  VU  X. LENGTH  NIL=0ALENGTH  (X.U)=LENGTH  U’ 
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proof  INDUCTION 

; labels:  IMDUCTIVE.DEFINITIOK 
5.  VNDF  ZCASE  BDEF. 

OFUB.  (VNPARS  B.FUB(0,BPARS)=ZCASE(NPARS)A 
FUMCN’ ,BPARS)= 

BDEF(N,FUH(N,IIDF(N.BPARS))  .MPARS))) 

: labels :  HIGH_ORDER_NATNUH_DEFINITION 
10.  VINDFB  ARB. 

(3DEF.FUN . (VN . DEF_FU»(0)=ARBA 

DEF_FUN(N>)=INDFB(N,DEF_FUB(N)))) 


Definitions  from  file  NTH 
proof  NTH 

; labels:  SIMPINFO  NTHDEF 

2.  VX  U  N.HTH(NIL,B)=NILANTH(U,0)=CAR  UABTH(X.U,K’)=HTH(U,H) 

proof  NTHCDR 

:labels:  SIMPINFO  BTHCDRDEF 

2.  VX  U  B.BTHCDR(NIL,N)=NI:,AHTHCDR(U,0)=UANTHCDR(X.U,H’)=NTHCDR(U,N) 

proof  FSTPOSITION 

; labels:  FSTPOSITIONDEF 
2.  VX  U  Y.FSTPOSITIQN(»IL,Y)=NILA 
FSTPOSITION (X.U,Y)= 

(IF  nHEMBERCY.X.U)  THEN  NIL 

ELSE  (IF  X=Y  THEN  0  ELSE  FSTP0SITI0B(O,Y) ’)) 


proof  INJ 

: labels:  INJDEF 

2.  VU.INJ(U)=(VN  M.N<LENGTH  UaM<LENGTH  UaNTH(U,N)=BTH(U,M)3B=H) 
NIL) 

Definitions  from  file  APPL 
proof  APPALIST 

; labels:  DOMDEF 

2.  VXA  Y  ALIST.DOM(NIL)=BILaDOH((XA.Y).ALIST)=XA.DOH(ALIST) 

: labels:  RAHGEDEF' 

4.  VXA  Y  ALIST.RAIIGE(NIL)=BILARANGE((XA.Y)  .ALIST)=Y.RANGE(ALIST) 
: labels:  FUHCTDEF 

6 .  VALIST .  FTJNCTP  (  ALIST)  sUN  IQUENESS  (D0M( ALIST)  ) 

: labels:  INJECTDEF 

8.  VALIST. IBJECTP(ALIST)SFUBCTP (ALIST) AUNIQUENESS(RANGE(ALIST)) 

: labels:  APPALISTDEF 

10.  VALIST  Y.APPALIST(Y,ALIST)=CDR  ASS0C(Y, ALIST) 

;  labels:  SAHEHAPDEF 

12.  VALIST  ALISTl.SAHEMAP(ALIST,ALISTl)s 

MKLSET(D0M(ALIST))=MKLSET(D0M(ALIST1))A 
( VY . Y6MKLSET ( DOM ( AL 1ST) ) 0 
APPALIST(Y,ALIST)=APPALIST(Y,ALIST1)) 

; labels:  PERMUTP.DEF 

13.  VALIST. PERHUTP(ALIST)= 

FUHCTP( ALIST) AMKLSET (DOM (ALIST) )=MKLSET(RANGE( ALIST)) 
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proof  ALISTFACTS 

; labels:  SAKEMAP.DEFl 

10.  VALISTl  ALIST2.SAHEMAP(ALISTl,ALIST2)e 

MKLSET(DOM(ALIST1))=HKLSET(DOM(AUST2))A 

(VX.APPALIST(X,ALIST1)=APPALIST(X,ALIST2)) 


proof  APPL 

: labels:  APPLDEF 

1.  VU  I.APPL(U,I)=IITH(U,I) 

; labels:  IHTODEF 

5.  VO.IHTO(U)=(VH.N<LENGTH  UDHATNU1!(KTH(U,H))aHTH(U,H)<LEHGTH  U) 
; labels:  ONTODEF 

7.  Va.0HT0(tJ)=(IlfT0(O)A(VH.N<LEHGTH  U3MEHBER(*,0))) 

;PERH 

9.  Va.PERM(U)=0HT0(O) 

Definitions  from  file  SUMS 
proof  SUMS 

: labels:  ALLBUMDEF 

7.  VH  A.ALLNUII(0,A)a(ALLNUH(«’,A)=A(H)AALLIUN(H,A)) 


; labels:  SOHEHOHDEF 

8.  VH  A.-iS0M£Him(0,A)A(S0HEirUM(N’,A)sA(a)VS0NERtni(l,A» 

: labels:  SUHDEF 

9.  VH  iroNSEq.SnM(NUMSEQ.0)=0A 

SUHCNimSEQ ,  N  ’ )  =°SnH(KUNSEQ  ,H)-»HXniSEq(ir) 

: labels:  UNDEF 

10.  VB  SETSEQ.UH(SETSEQ,0)=EMPTYSETA 

UN(SETSEQ , H  > ) =nH(SETSEq ,H) USETSEQClO 

i labels:  DIJPAIR.DEF 

12.  VA  B.DISJ_PAIR(A,B)=EMPTYP(AnB) 

; labels:  DISJOIHTDEF 
14.  VH  SETSEq.DISJOIHT(SETSEq,0)A 
DISJOIIT(SETSEq.H»)= 

(DISJOINT(SETSEQ,N)ADISJ_PiIR(DK(SETSEq,l),SETSEq(H))) 

Definitions  from  file  MULT 
proof  MULTIPLICITY 

; labels:  MULT.DEF 

2.  VX  U  A.inJLT(HIL,A)=0A 

HULT(X.U,A)=(IF  A(X)  THEM  MOLKn.A)’  ELSE  MOLKU.A)) 
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Definitions  from  file  ASSOC 

; labels:  COHPALISTDEF 

2.  VALISTl  ALIST2  XA  Y.NIL  OD  ALIST2=HILA 

((XA.y).ALISTl)  00  ALIST2= 
(XA.APPALIST(Y.ALIST2))  .ALISTl  oo  ALIST2 


; labels:  IBVALISTDEF 

4.  VALIST  XA  Y.INVALIST(«IL)=HILA 

INVALIST ( (XA . Y) . ALIST)=( Y . XA) . IHVALIST (ALIST) 

; labels:  IDALISTPDEF 
6.  VALIST  XA  Y.IDALISTP(HIL)A 

( ID ALISTP ( (XA . Y) . ALIST) sX A=Y A IDALISTP (ALIST) ) 

Definitions  from  file  PERMP 
proof  COMP  PRED 

; labels:  COMPDEF 

2.  VO  V  W.COMP(U,V,W)sLEHGTH  0=LEH6TH  WA 

(VII.H<LEIIGTH  03HTH(0,K)=HTH(V,HTH(W,H))) 


: labels:  ID.DEF 

4.  V0.ID(U>2(VH.H<LEBGTH  U0BTH(O,B)=B) 

; labels:  IBVDEF 

6.  VO  V.IBV(U,V)2(VB.B<LEBGTH  UDBTH(0,B)=FSTPOSITIOB(V,B)) 


Definitions  from  file  PERMF 
proof  COMP  FNCT 

: labels:  DEF.APPL.FACT 

2.  VO  V.DEF.APPL(V,0)sALU>(AX.BATBOM(X)AX<LEBGTH  V.O) 

: labels:  COMPOSEDEF 

4.  VO  V  X.O*BIL=BILAO*(X.V)=BTH(0,X).O*V 
; labels:  IDEBTDEFl 

6.  VXOB  I.IDEBT1(I.0)=BILAIDEBT1(I,B’)=I.IDEBT1(I»,B) 

: labels:  IDEBTDEF 
8.  VB.IDEBT(B)=IDEBT1(0,B) 

; labels:  IBVERSDEFl 

10.  VO  I  B.IBVERS1(0,I,0)=BILAIBVEBS1(BIL,I.B)=BILA 
IBVERSl(O.I,B’)= 

(IF  BOLL  FSTPOSITIOB(O.I)  THEB  BIL 

ELSE  FSTP0SITI0B(D,I).IBVEBS1(D,I’ ,B)) 

; labels:  IBVERSDEF 

12.  VO.IBVERSE(O)=IBVERSl(U,0,LEBGTH  O) 
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add_lesseq,  171 

VH  R  M.H<MA1<KDH^<M+R 

add_one,  171 

VK  N  M.1<KAH»=M+KAH<MD1=KMI=M 

addtozero, 165 

VN  K . B+K=05B=0AK=0 

^^^^VaL^T^ALISTI  .MEMBER(X,D0M<ALIST))DAPPALIST(X,ALIST  m  ALIST1)-APPALIST(APPALIST(X,ALIST)  ,ALIST1) 
alist  leinma2.  91 

VALIST  ALISTl.DOMC ALIST  od  ALIST1)=D0M(ALIST) 
alist.leniina3.  91 

VALIST  X.HEMBER(X,DOM  ALIST) D(3Y .MEHBER(Y,RABGE  ALIST) AAPPALISTCX ,ALIST)=Y) 
alist _leinina4,  93 

VALIST  Z.UIIQUEHESS  D01!(ALIST)aMEMBER(Z,RABGE  ALIST) D (3X .MEMBER(X , DOM  ALIST) AAPPALISTCX ,ALIST)=Z) 
alistdef,  175 

VXA  Y  ALIST. ALISTP  IIL  A  ALISTP  (XA.Y). ALIST 


alistdefl. 175 

VU. ALISTP  U  =  (-.HULL  U  D  -.ATOM  CAR  UAATOM  CAR  (CAR  U) AALISTP(CDR  U)) 


alist induct ion.  61  . 

VCHI.CHI{IIL)a(VIA  Y  alist. CHI(ALIST)DCHI((XA.Y) . ALIST) )D (VALIST. chi (ALIST)) 


allnumdef ,  53 

VH  A.ALLHUM(0,A)a(ALLIUM(I\A)sA(H)AALLHUM(H,A)) 

allp  elimination,  37 

VU.MEMBER(X,U)aALLP(PHI1,U)DPHI1(X) 

allp_implication,  38 

VU  A  A1.ALLP(A,U)a(VX.A(X)DA1(X))3ALLP(A1,U) 
allp_ introduction,  37 

VU . (VY .MEMBER(Y ,U)DPHI1 (Y) )3ALLP(PHI1 ,U) 
allp.nthcdr,  47 

VA  U  H.ALLP(A,U)3ALLP(A,ITHCDR(U,i)) 

allp,  175 

VPBI  X  U.ALLP(PHI,HIL)AALLP(PBI,X.U)=IF  PHI(X)  THEB  ALLP(PHI,0)  ELSE  FALSE 
allpfact,  -37 

VPHI  X  U.ALLP(PHI,X.O)3PHI(X)AALLP(PHI,U) 

app.c^iiyalist^,  9^1^1  ^  „  aLIST1)=APPALIST(APPALIST(I.  ALIST)  .ALISTl) 

appalistdef .  60 

VALIST  Y.APPALIST(Y,ALIST)=CDR  ASS0C(Y, ALIST) 

appal ist sort.  62 

VALIST. SEXP  APPALIST(Y, ALIST) 

appendef,  17-4 

VX  U  V.BIL*V=VA(X.U)*V=X. (U*V) 
appldef ,  63 

VU  I.APPL(U,I)=HTH(U,I) 
applf acts,  64 

VU  I.KLEHGTH  UDSEXP  APPL(U,I)AMEMBER(APPL(U,I),U) 
assoc.comp.  128 

VU  V  V.DEF_APPL(W,V)ADEF.APPL(V,U)D(tf®V)#U=W«(V#U) 

Y  ALIST. ASSOC(X, HIL)=HILaASSOC(X, (XA. Y)  .ALIST)  =  (IF  X=XA  THEB  XA.Y  ELSE  ASSOC(X  ,  ALIST)  ) 
associativity_of_composition, 12S 

VU  V  y.PERM(V)APERM(U)ALEHGTH  V=LEHGTH  UaLEHGTH  W=LEBGTH  U3 (W#V)«U=W«(V«U) 
associativity^pred,  124 

VU  U1  V  VI  W1  W2  W3.INT0(W3)ALEBGTH  W2=LERGTH  W3A 
C0MP(V,W1 ,W2)aC0MP(U,V,H3)A 
COMP ( VI , H2 , W3) ACOMP (U1 , W1 , VI ) 3U=U1 
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atomrange,  106 

VALIST.MKLSET(DOM(ALIST))=MKLSET(RAHGE(ALIST))DALLP(AX,ATOM  X,RAHGE(ALIST)) 
car_nthcdr,  45 

VU  H.KLEIGTH  UDCAR  HTHCDR(U,S)=BTH(U,H) 

cdr.nthcdr,  45  ^ 

VU  H.CDR  ITHCDR(U,H)=HTHCDR(U,HO 

commntadd,  165 

VK  I.K+H=H+K 

commutnrult,  166  ^ 

VI 

comp^uniqueness, 121 

COMP (U , V , H) ACOMPCUl , V , W) DU=U1 

compalist .associativity,  101 

VALIST  ALISTl  ALIST2 .MKLSET(RAIGE(ALIST))CMKLSET(D0M(ALISn))3 
ALIST  03  (ALISTl  a  ALIST2)  =  (ALIST  oo  ALISTl)  oo  ALIST2 

compalist.lesma,  93 

VALIST. -«MEMBER(ZA,RAHGE( ALIST) )D ALIST  m  ((ZA . Z)  .ALISTl )=ALIST  m  ALISTl 

compalist.sort,  90 

VALIST. ALISTP  ALIST  o)  ALISTl 

compalistdef ,  89  v .  v 

VALISTl  ALIST2  XA  Y.IIL  o  ALIST2=HILA((XA.Y) .ALISTl)  m  ALIST2=(XA .APPALIST(Y,ALIST2) ). (ALISTl  o  ALIST2) 

composedef,  113 

VU  V  X.(U^IIL)=IILA(U*(X.V))=(ITH(U,X)).(U#V) 

cons.car.cdr,  173 

VU.-iIULL  U  D  (CAR  U.CDR  U=U) 

cons_car.cdr,  173 

VX.-.AT0M  I  3  (CAR  X.CDR  X=X) 

def .appl.condition, 115 

VU  V.IITO(U)ALEIGTH  UaEHGTH  VDDEF.APPL(V,U) 

def.appl.conditionl,  115 

VU  V.PERM(U)ALEIGTH  U=LEHGTH  VDDEF.APPL(V,U) 

def.appl.fact, 113 

VU  V.DEF_APPL(V,U)SALLP(AX.IATIUM(X)AX<LEIGTH(V) ,U) 
demorgan,  33 

VP  Q.  (-i(PvQ))2((-«P)A(-iQ)) 

demorganl ,  33 

VP  q.-i(PAQ)s(-,P)v(-«Q) 

disj^pairdef ,  54 

VA  B.DISJ.PAIR(A,B)=EI!PTYP(AnB) 

disjoint.def ,  54 

VI  SETSEQ.DISJ0IIT(SETSEQ,O)A 

DISJOIIT(SETSEQ ,I O=(DISJ0IIT(SETSEQ ,1) ADISJ.PAIR(UH(SETSEQ ,1) ,SETSEQ(B) ) ) 

disjoint  number,  85 

VI .DISJOIIT(AXV .MKSET(XV) ,1) 

dom.compalist,  91 

VALIST  ALISTl. DOM (ALIST  o  ALISTl )=D0M( ALIST) 
dom.invalist,  94 

VALIST .  ALLP ( AX  .  ATOM  X ,RAIGE( ALIST)  ) DDOMdIVALIST (ALIST) )  =RAHGE (ALIST)  ^ 

domdef ,  60 

VXA  Y  ALIST. DOM  BIL=HILaDOM(<XA.Y) .ALIST) =XA. DOM  ALIST 
domlength.  62 

VALIST. LEIGTH  (DOM (ALIST) )=LEIGTH  ALIST 

/ 

domrange length,  62 

VALIST. LEIGTH  (DOM (ALIST) )==LEIGTH  (RAIGE(ALIST)) 
domsort,  61 

VALIST. LISTP  D0M( ALIST) 
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double  induct  ion.  179  ,i\n 

VPHI2.(VU  V  X  Y.PHI2(HIL,U)APHI2(U,SIL)A(PHI2(U,V)DPHI2(X.U,Y.V)))3(W  V.PHI2(U,V)) 


double  induct  ion  1.  179 

VPHI3.(VU  H  X.PHI3(BIL,H)APHI3(U,0)A(PHI3(U,H)DPHI3(X.U,HO))3(VU  H.PH13(U,H)) 
duniondef , 40 

VA  B. AUB=AXV. (A(XV)VB(XV)) 

emptyfacts. 50 

VU . HULT (U , EMPT YSET ) =0 

emptyp, 40 

VA  .  EMPTYP  (  A  )  =VXV  .  -i A  (  X V ) 

emptysetdef ,  40 

EHPTYSET=AXV .FALSE 

epsilondef,  39 

VA  XV.XV€A2A(XV) 

epsilondef,  40 

VA  IV.XV€A=A(XV) 


example,  35 

VH  M  K. H<MAM<KDH<K 

excluded_middle,  33 

VP  Q.Ps(QDP)A(-iQDP) 

extensionality,  G4 

VU  V.LEHGTH  U=LEHGTH  VA(VI . KLEHGTH  UDAPPL(U,I)=APPL(V,I))DU=V 
f stposition_nth, 48 

VU  ■.UHiqUEHESS(U)AH<LEHGTH  U3FSTP0SITIDI(U,ITH(U,I))=H 
f St posit iondef,  47 

FSTmiTIO«(I.*U^Y^)’=lV"^I^^  THE!  IIL  ELSE  IF  X=Y  THEH  0  ELSE  ADD! (FSTPOSITIOH(U , Y) ) 

functdef ,  60 

VALIST.FUHCTP(ALIST)SUHIQUEHESS  DOM(ALIST) 

have_member,  17S  ^  ^ 

VU  Y.MEMBER(Y,U)Dt)4>EHGTH  U  ^ 

have.memberl, 178 

VU  Y.MEMBER(Y,U)D-iHULL  U 

high^order^definition,  174 

VBIGFUH  ATOM  FUH.3DEFIHED  FUI.VX  Y.CATOH  X  D  DEFHED_FUH(X)=ATOM„FUH(X) )A 
(DEFIHED.FUH(X.Y)=BIGFUH(X,Y,DEFIHED_FUH(X),DEFIHED_FUB(Y))) 

high  order.natnum.def inition,  167 

VIHDFH  ARB . 3DEF_FUH . VH .DEF.FUH(0)=ARBADEF.FUH(I> )=IHDFH(H ,DEF_FUH (H) ) 


id.left.  130 

VU  V  H.ID(U)APERM(W)ALEHGTH  ¥=LEHGTH  UAC0MP(V ,U,H)3W=V 
id_main,  132 

VH . H<MDHTH(IDEHT(M) , H)=N 

id.perm,  129 

VU.ID(U)DPERM(U) 

id^right, 129 

VU  V  W.ID(U)ACOHP(V,¥,U)ALEHGTH  W=LEHGTH  UDV=¥ 

idali^stPi.left^^03^^p(^LisTip)AMl[LSET(D0H(ALISTID))=iaLSET(D0M(ALIST))DSAHEMAP(ALISTID  oo  ALIST.ALIST) 
idalistp_main.  94 

VALIST .IDALISTP(ALIST)AMEMBER<Y,DOM(ALIST))DCDR  ASSOC (Y,ALIST)=Y 
idalistp.permutp,  102 

VALIST.FUHCTP(ALIST)AIDALISTP(ALIST)DPERMUTP(ALIST) 

^^^^^VALISTf.IDALISTP(ALISTl)D(VALIST.MKLSET(RAHGE(ALIST))CMKLSET(DOM(ALISTl))DALIST  oj  ALIST1=ALIST) 

idalistpdef ,  90 

VALIST  XA  Y.IDALISTP(HIL)A(IDALISTP((XA.Y).ALIST)SXA=YAIDALISTP  ALIST) 
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ident^sort .  1 1 5 

VH.LISTP  IDENTCJI) 

ident.sortl,  1 15 

;VN  M.LISTP  IDENT1(M,H) 

identdef.  113 

VH.IDEHT(N)=IDENT1(0,H) 

identdef 1,  113 

VX  U  N  I.IDENT1(I,0)=HILAIDENT1(I,KO=I.IDEHT1(I\H) 

identity.lef t,  136 

VU.IHTO(U)DIDENT(LEMGTH  U)#U=U 

identity_right ,  131 

VU.U#I DENT (LENGTH  U)=U 

inclusiondef ,  40 

VA  B.ACB=VXV.A(XV)DB(XV) 

induct ive_definit ion,  166 

VNDF  ZCASE  NDEF . (3FUN . (VNPARS  N . FUN(0,HPARS)=ZCASE(BPARS) A 
FUH(N^NPARS)=NDEF(N,FUN(N,NDF(H,NPARS))  ,NPARS))) 

inequality^law.  171 

VB  m.k<ham<n-rsm+r<n 

inf inite^descent,  167 

-»3DESC  .  VH  . DESC (B »  )  <DESCCN) 

injdef , 52 

VU . IN J (U) =VN  M . H<LENGTH (U) AM<LENGTH(U) ANTE (U, B)=NTH (U ,M) DB=M 
injdsj.lenena,  80 

IBJ(U)AB<LEBGTH  U3-.( (UB(AM .MRSET(HTH(U,M) ) ,B) ) (XV)a(«RSET(BTH(U,B)) ) (XV) ) 
injectdef.60 

VALIST.IHJECTP(ALIST)sFUBCTP(ALIST)AUIiqUEBESS  RAHGE(ALIST) 
interdef . 40 

VA  B.AnB=AXV.(A(XV)AB(XV)) 
into^mult.  86 

IHTO(U)A(VK.K<LEBGTH  U31=MULT(U,MRSET(K) )) D (R<LEBGTH  UM=MULT(U,MRSET(BTH(U,R)))) 
intodef ,  63 

VU.IBTO(U)=(VN.H<LEHGTH  UDBATNUM  ITH<U,H)aHTH (U,B)<LEIGTH  U) 
inv_into.  144 

VU . PERM(U)DIBTO (IIVERSE(U) ) 
inv_left.  139 

VU  V  W.PERM(V)AlBV<U,W)ACOMP(V,U,W)ALEBGTH  W=LEHGTH  UDID(V) 
inv_pemi,  137 

VU  V.PERM(U)AIBV(V,U)ALEBGTH  V=LEBGTH  U3PERH(V) 
inv^right,  137 

VU  V  W.PERM(W)AlBV(U,W)ACOMP(V,W,U)ALEIGTH  U=LEHGTH  WDID(V) 
invalist_left, 105 

VALIST.ALLP(AX.ATOM  X ,RAIGE<ALIST) ) AlIJECTP(ALIST)3IDALISTP(IHVALIST(ALIST)  w  ALIST) 
invalist^right, 105 

VALIST.ALLP(AX.ATOM  X,RABGE(ALIST))AliJECTP(ALIST)DIDALISTP(ALIST  oo  IIVALIST(ALIST) ) 
invalist.sort,  90 

VALIST.ALLPCAX.ATOM  X ,RABGE( ALIST) )DALISTP  IB V ALIST (ALIST) 
invalistdef ,  89 

VALIST  XA  Y.INVALIST  IIL=BILAIBVALIST( (XA . Y) . ALIST) 5=(Y .XA) . IMV ALIST  ALIST 

invers.sortl, 115 

VH  I.LISTP  IHVERS1(U,I,H) 

inversdef , 113 

VU . IHVERSE(U)=IBVERS1 (U ,0 , LENGTH (U) ) 
inversdef 1,  113 

VU  I  N.INVERS1(U,I,0)=HILAIHVERS1(IIL,I,B)=NILA 

INVERSl(U,I,NO=IF  BULL(FSTPOSITIOI(U,I))  THEN  IIL  ELSE  FSTPOSITIOB(U,I)  .  IHVERSKU,! \H) 
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inverse_lef t . 143 

VU.PERM(U)DIKVERSE  U^U=IDEHT (LENGTH  U) 
inverse_right.  143 

VU.PERM(U)3U#INVERSE(U)=IDENT(LEHGTH(U)) 

inverse_sort. 115 

LISTP  IHVERSE(U) 

irreflexivity_of_order,  164 

last_nthcdr,  47 

VU.HTHCDRCU, LENGTH  U)=NIL 

Idistrib, 166 

VI  R  M.i*(K+M)=N*K+H*M 

length_coiiipose,  116 

VU  W.DEF_APPL(W,U)DLEHGTH  (W#U)=LEHGTH(U) 

length.compose,  117 

VU  I.LEIGTH(IDEIT(M))=N 

length^ident, 117 

VI. LENGTH  (IDEIT(I))=H 

lengthy identl,  117 

VI  M. LENGTH  (IDEIT1(M,I))=I 

length^mult ,  54 

VA  U.MULT(U,A)<LENGTH  U 

l€iigth_nthcdr,  47 

VU  I.I<LEIGTH  UDLEIGTH  (ITHCDR(U,H) )=LENGTH  U-I 
lengthadd,  178 

VU. LENGTH  (U^V)=LENGTH  U+LEIGTH  V 
lengthdef.  178 

VU  X. (LENGTH  HIL=0)aLENGTH(X . U)= (LENGTH  U) » 
lengtliinverse,  118 

VU.PERM(U)DLEHGTH  (INVERSE (U) )=LENGTH  U 

leq.leq.eq,  169 

VN  M.N<MAM<NDN=H 

less«lesseq_factl,  167 
VN  H  X. N<MAM<KDN<K 

less^lesseqsucc, 16S 

VN  M.N<HSN»<M 

less.succ.lesseq.  16S 
VN  M.M<N>SM<N 

lesseq_lesseq_siicc,  168 
VN  M.N<MDN<M' 

lesseqdef ,  167 

VM  N.(M  <  N)=(M=NVM<N) 

list append,  174 

VU  V.LISTP(U*V) 

listdef,  174 

VX  LST.LIST(X,LST)  =  X.LIST(LST) 
listinduction,  173 

VPHI.PHKBIDaCVX  U.PHI(U)DPHX(I.U))D(VU.PHI(U)) 
list induct iondef.  173 

VDF  HILCASE  DEF .  (3FUI .  (WARS  I  O.FUH(iIL,PARS)=BILCASE(PARS)A 
FUH(X . U  ,PARS)=DEF(X ,U ,FUH(U ,DF(X .PARS)) .PARS) ) ) 

Ipluscan,  165 

VN  K  M. (K+M=K+N)s(M=N) 

Itimescan.  166 

VN  K  M.-«K=OD((K*M=K*N)s(M=N)) 


Itimestozero.  166 

VN  K.-iN=0D»*R=0SK=0 
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inaiii_iiiv,  1*11 

VU  H.PERM  UAB<LEHGTH  UDHTHClITVERSE  U,H)-FSTP0SITI0H (U,!I) 
mapcardef,  175 

VFB  X  U.MAPCAR(FH,SIL)=5ILAMAPCAR(FH,X.U)=FI(X).MAPCAR(FH,U) 
member«mult,  55 

VU  Y  A.MEMBER(Y,U)AA(Y)D1<MULT(U,A) 
member.nth,  *13 

VU  Y. MEMBER (Y,U)D( 31. H<LEHGTH  UAHTH(U,H)=Y) 
memberdef,  175 

VX  Y  U.-iMEMBER(X,IIL)AMEHBER(X,Y.U)  =  (X=YvMEMBER(X,U)) 

minus. sort,  169 

VI  K.HATIUM(K-H) 

minus 1,  170 

VS.O<HDH-(PRED  I)=l 

minusdef ,  169 

VM  H.H-0=MAM-(HO=PREDCM-H) 

minusfactlO,  170 

VI  M.I<MDM-I=(M-H>)J 

minusfactll,  170 

VI  M.M<NDH-M'<B 

minusfactS,  169 

VI  M.I<MD0<M-I 

mlnusfactS,  169 

VI.O<IDPRED(I) 

minusfact7,  170 

VI  M.H<M3PRED(M»-I)=M-H 

mklset.fact,  188 

VU . HKLSET (U ) = ( AX . ( 3K . K<LEIGTH  UAITH (U , K ) =X ) ) 
mklset.im,  194 

VU . UI ( AM . MKSET (ITH (U ,M) ) , LEIGTH  U) =MKLSET(U) 
mklsetdef ,  40 

VU  .MKLSET(U)=AX  .MEMiER(X,U)  ^ 

mkset.def ,  40 

VXV . MKSET (XV )= ( AYV . YV=XV) 

mRset.mklset,  177 

VU.  MEMBER (Y,U)DHKSET(Y)CMKLSET  U 

mksetfact,  194 

VU  I.I<LEHGTH  UD(UI(AM.MKSET(ITH(U,M))  ,I»  =  (AX . (3R.K<HAITH(U ,K)=X)) 
mult _ in j.  57 

VV. (VK.K<LEHGTH  VDMULT(V,MKSET(ITH(V,K)) )=1)DIIJ(V) 
mult .mult,  81 

VU  V.MKLSET(U)=MKLSET(V)a(VM.M<LEIGTH  UDMULT(V,MKSET(HTH(U,M)))=1)D 
(VI.KLEIGTH  V3MULT(V,MKSET(ITH(V,I)))=1) 

mult.nthcdr,  55 

VI  A  U.KLEIGTH  UDMULT(ITHCDR(U,I)  ,A)<MULT(U,A) 
multdef,  54 

VX  u  a.mult(iil,a)=oamult(x.u,a)=if  a(x)  thei  mult(u,a)^  else  MULT(U,A) 

multfact,  54 

VU . VA . I ATIUM (MULT ( U , A ) ) 
mul t in j. computation,  57 

VV  I  J.I<JaJ<LEIGTH  VaITH(V,I)=ITH(V,J)32<MULT(V,MKSET(ITH(V,I))) 

n.less.n,  170 
VI. 1-1=0 

nonempty.domain.  93 

VALIST  Z.UIIQUEIESS  D0M(ALIST)AMEMBER(Z,RAIGE  ALIST)D(3X .MEMBER (X, DOM  ALIST)AAPPALIST(X,ALIST)=Z) 
nonempty .range.  91 

VALIST  X.MEMBER(X,DOM  ALIST)0(3Y .HEMBER(Y,RAIGE  ALIST) AAPPALIST(X ,ALIST)=Y) 
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normal,  33 

VP  Q  R. ((PvQ)AR)5((PaR)v(QAR)) 
normal.  33 

Vp  q  r . (pVq3r)=(p3r)A(q3r) 
normal, 33 

VP  q  R. (ra(pvq))5((rap)v(raq)) 
nth.allp,  1S7 

VPHI  U. (VS.H<LEHGTH  UDPHI1(HTH(U,H)))3ALLP(PHI1 ,U) 
nth_compose,  127 

VU  B.DEF.APPL(V,U)AI<LE!IGTH  UDHTH(V#U,H)=ITH(V,HTH(U,H)) 
nth^fstposition,  48 

VU  B . MEMBER ( I , U) DHTH (U , FSTPOSITIOB (U , I) ) =I 
nth.in.nthcdr,  45 

VU  B  M.I<MAM<LEIGTH  U3MEMBER(HTH(U,M) ,ITflCDR(U,H) ) 
nth_nthc<lr„zero,  45 

VU.O<LEBGTH  UDBTH(U,0) .BTHCDR(U,1)=U 
nth_nthcdr,  47 

VU  B  M.KLEBGTH  UAM<LEBGTH  (ITHCDR(U,I) )3ITH(ITHCDR(U ,H) ,M)=BTH(U,M+I) 
nthcdr_car_cdr,  45 

VU  B.B<LEIGTH  UDITHCDRCU,I)=ITH(U,H) .ITHCDR(U,lO 
nthcdr^ident,  133 

VM  H.B<HDITHCDR(IDEIT(M),I)=IDEIT1(B,H-I) 
nthcdr.induction,  47 

VPHI  U.PHI(IIL)A(VB.I<LEIGTH(U)3(PHI(ITHCDR(U,I’))DPHI(«TH(U,»).HTHCDR(U,H’))))3PHI(U) 

nthcdrdef ,  45 

VX  U  H.BTHCDR(IIL,I)=BILAHTHCDR(U,0)=UaITHCDR(X.U,HO=BTHCDR(U,H) 
nthdef .  42 

VX  U  I.ITH(IIL,I)=IILAlTH(U,0)=CAR  UAITH(I.U,I>)=ITH(U,H) 
nthmember.  43 

VU  b’kLEBGTH  U3MEMBER(ITH(U,B),U) 

oneleastsiicc,  168 
1<B’ 

ontodef,  63 

VU . OBTO (U) = (INTO (U) A(VH . B<LEIGTH  UDMEMBER(B ,U) ) ) 
perm_compose, 128 

VU  V.PERM  U  A  PERM  V  A  LESGTH  U  =  LEHGTH  V  3  PERM(U*V) 
perm_composition,  121 

PERM(V)APERM(W)ALEIGTH  V=LEBGTH  ¥AC0MP(U,V,W)3PERM(U) 

perm.ident.  133 

VB.PERMCIDEBTCI)) 

perm_injectivity,  87 

VU.PERM(U)3IIJ(U) 

perm_inverse,  143 

VU . PERM(U) 3PERM(IBVERSE(U) ) 

permdef ,  63 

VU.PERM(U)=0IT0(U) 

permutp_def ,  61 

VALIST.PERMUTP(ALIST)sFU1ICTP(ALIST)AMKLSET(D0M(ALIST))=MKLSET(RAHGE(ALIST)) 
permutp^injectp, 80 

VU  V.MKLSET  U=MKLSET  V3(VM .H<LEBGTH  U31<MULT(V,MKSET  BTH(U,M))) 

permntp.injectp, 83 

VALIST.PERMUTP(ALIST)3IHJE<rrP(ALIST) 

pigeonfact.  71 

VF. (VH.BATBUM(F(B)))3(VB. (VM.M<B31<F(M))aSUM(AK.F(K) ,B)=B3(VM.M<N31==F(M))) 

^  ^  VU.DISJOIBTCSETSEQ , LEHGTH  U)3((VM.M<LEHGTH  U31<MULT(U,SETSEQ(M)) ) D(VM .M<LEBGTH  U31=MULT(U,SETSEQ(M) )) ) 
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plusdef.  165 

VH  K.O+N=HAK»+H=(K+H) ^ 

plusdefl. 165 

VH.1+H=N^AN+1=K' 

plusfacts,  165 

Vk  H.K+N=H+K 

plusfacts,  165 

VH  K  M. (K+M=K+H)s(M=H) 

plusfacts, 165 

VH  K  M. (M+K=H+K)s(M=H) 

plusfacts,  165 

VH  K.O+H=HAK’+H=(K+H)^ 

plusfacts,  165 

VH  K.H+K'=(H+K)' 

plusfacts,  165 

VH  R.H+K=0=H=OAK=0 

plusfacts,  165 

VH,1+H=K»AH+1=B^ 

plusfacts,  165 
VH.H+0=H 

plusfacts,  166 

VH  K  M.H*(K+M)=H*K+H*M 

plusfacts,  166 

VI  M  K.(M+K)*H=M*H+K*H 

pos. length,  4S 

VU  Y.I!EMBER(Y,U)DFSTPOSITIOH(U,Y)<LEHGTH  U 
posfacts.  48 

VU.dULL  FSTPOSITIOH(U,Y)D-J!EMBER(Y,U))A(!iEMBER(Y,U)DHATIUM(FSTPOSITIOI(U,Y)))A 
(HULL  FSTP0SITI0HCU,Y)VHATHU1!(FSTP0SITI0H(U,Y))) 

pred^cancellation,  170 

VH  M-H<M3PRED(M’d)=M-H 

pred^def,  165 

vh.pred(hO=h 

proof_by_doubl€ induct ion,  166 

VA2.(VH  M.A2(0,H)aA2(H,0)a(A2(H,M)DA2(H\H»)))DVH  M.A2(H,M) 

proof_by„ induct  ion.  166 

VA.A(0)A(VH.A(H)DA(HO)3(VH.A(H)) 

range.compose,  95 

VALIST  ALISTl.PERmJTP(ALIST)AMKLSET(DOM(ALIST))=MKLSET(DOM(ALISTl))D 
MKLSET(RANGE(ALIST  CD  ALIST1))CMKLSET(RAHGE(ALIST1)) 

range_coKipose,  95 

VALIST  ALIST1.PER?1UTP(ALIST)aPERMUTP(ALIST1)aMKLSET(D0M(ALIST))=MKLSET(D0M(ALIST1))D 
MKLSET(RAHGE(ALIST1))CHKLSET(RAHGE(ALIST  (d  ALISTD) 

range_invalist,  94 

VALIST . ALLP ( AX . ATOM  X ,RAHGE( ALIST) ) DRAHGE(IHVALIST( ALIST) )=DOM( ALIST) 
rangedef ,  60 

VXA  Y  ALIST. RAHGE  HIL=HILARAIGE( (XA .Y) . ALIST) =Y. RAHGE  ALIST 
rangesort,  61 

VALIST. LISTP  RAHGE(ALIST) 

rdistrib, 166 

VH  M  K. (M+K)*N=M*H+K+H 

rpluscan,  165 

VH  K  M.(M+R=H+K)s(M=H) 

rtimescan,  166 

VH  R  M.nR=01((M*K=H«R)s(M=H)) 

rt  imestozero.  16r> 

VH  R.-iH=0)R*H=^OHK=0 
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samemap^def 1 . 62 

VALISTl  ALIST2 . SAMEMAP(ALIST1 , ALIST2)S 

(MKLSET(D0M(ALIST1))=HKLSET(D0H(ALIST2) ) A(VX. APPALIST(X,ALIST1)=APPALIST(X ,ALIST2) ) ) 

sainemap_equivalence,  62 

SAMEMAP(ALIST,ALIST) 

sainemap_equivalence,  62 

S AMEMAP  ( ALIST ,  ALISTl )  AS AMEMAP ( ALISTl ,  ALIST2 )  DS AMEKAP(  ALIST ,  ALIST2 ) 

sajnemap_ equivalence,  62 

SAMEMAPCALIST, ALISTl) ISAMEMAPCALISTl, ALIST) 

samemap.left ,  9-} 

VALIST  ALISTl  ALIST2 .  SAMEMAP( ALISTl  ,ALIST2)DSAMEMAP (ALISTl  cd  ALIST,  ALIST2  od  ALIST) 
samemap_right,  94 

VALIST  ALISTl  ALIST2  .  SAMEMAPC ALISTl  ,ALIST2)  3ALIST  od  ALIST1=ALIST  od  ALIST2 
samemapdef.  61 

VALIST  ALISTl . S AMEMAP (ALIST , ALISTl )2 

MKLSET  DOM(ALIST)=MKLSET  DOM(ALIST1)a(VY .Y6MKLSET  DOM( ALIST) DAPPALIST(Y ,ALIST)=APPALIST(Y, ALISTl ) ) 

set^extensionality,  40 

VA  B.(VXV.XV€AHXV€B)DA=B 

sexp_nth,  42 

VU  I.SEXP  HTH(U,B) 

sexp induct ion,  174 

VPHI.(VX,ATOM  X  D  PHI(X))A(VX  Y  .  PHI(X)aPHI(Y)DPHI  (I  .Y)  )3(VX .  PHKX)) 
sexpinductiondef ,  174 

VATOMCASE  DEFSEXP  DFl  DF2 . 3FUH . VPARS  X  Y  Z.(ATOM  Z  3  FUH(Z,PARS)=ATOMCASE(Z,PARS))a 
(FU5(X.  Y,PARS)=DEFSEXP(X,Y,FUH(X,DF1(X,Y, PARS) ),FUH(Y,DF2(X,Y, PARS)) ,PARS) ) 

somenumdef .  53 

VH  A.-«S0ME»UM(O,A)A(S0MEHUM(H>,A)=A(H)VSaMENUM(I,A)) 
somepdef,  175 

VPHI  X  U.-iSOMEP(PHI,BIL)ASOMEP(PHI,X.U)=IF  PHKX)  THEH  TRUE  ELSE  SOMEP(PHI,U) 
somepfact. 176 

VU.S0MEP(PHI1,U)H(3X.MEMBER(X,U)APHI1(X)) 
somepfact,  3S 

VU.S0MEP(PHI1,U)=(3X.MEMBER(X,U)APHI1(X)) 
sortcomp,  1 1 5 

VU-DEF_APPL(V,U)3LISTP  V*U 
sortpos.  4S 

VU  Y.SEXP  FSTP0SITI0H(U,Y) 
strictly^increasing,  72 

VF  H.(VM.M<I3HATHUM(F(M))A1<F(M))3H<SUH(AK.F(K),B) 

succ.less^less, 168 
VH  II.M’<H3M<H 

succ.lesseq^lesseq.  168 

VM  H.M»<IIDM<H 

successor^minus, 169 

VH  M.H<M3M^'’H=(M-H)> 

successorl,  H>5 
VH.H<N^ 

successor2,  165 

VH  M.-.H<M3M<N^ 

successoreq.  165 

VH  M.(fi^=MOs(H=M) 

successorfacts,  167 
VH  M.H’<M’=H<M 

successorfacts,  167 
VH.-.H=N’ 
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successorless,  165 
VH  M.N^<M>=N<M 
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successorlesseq,  167 
VH 

succfacts,  165 
VI 

succfacts,  165 

VI 

succfacts,  165 

VI  M.I><M»SH<M 

succfacts,  165 
VI.-i(I»=:0) 

succfacts,  165 
VI.->H=ODO<I 

succfacts,  165 
VI,0<I» 

succfacts,  165 
VI.I<I» 

sumdef ,  53 

VI  HUMSEQ.SUM(IUMSEQ,0)=0ASUH(HmSEQ,lO=Sim(HfflSEQ,I)+IUMSEq(I) 
sumsort,  54 

VIUMSEQ  I . ( VM . H<IDIATIUH(IUHSEQ (M) ) ) DIATIUH (SUMClimSEQ , I) ) 

tiaesdef,  166 

VI  K.04-I=0AH>*K=(I*K)+K 

timesfacts,  166 

VI  K  M.-iK=OD((K*M=K*I)5(M=I)) 
timesfacts,  166 

VI  K  H.“iK=OD((M*K=I*K)h(M=I)) 

timesfacts,  166 

VI  K  l!.I*(K+M)=I*K+I*M 

timesfacts,  166 

VI  K.-iI=0DK*I=0SK=0 

timesfacts,  166 

VI  K.-iH=ODI*K=OsK=0 

timesfacts,  166 

VI  K.O*I=OAl»*K=(I*K)+K 

timesfacts,  166 

VI  K.I*K'=I*K+I 

timesfacts,  166 

VI  M  K.(H+K)*I=M*I+K*I 

timesfacts,  166 

VI  M.I*M=H*H 

timesfacts,  166 

VI . B*0=0A1^I=IAI*1=I 

timsucc,  166 

VI  K.I*K'=H*K+I 

total. sub tract ion,  170 
VI  M.I!<IDM“I=0 

trans.cond,  33 

VP  Q  R.(QDR)A(IF  P  THEI  Q  ELSE  R)DR 

trans.lesseq,  167 

VI  n  K. I<MAM<K3I<K 

transitivity.of.order,  164 

VI  M  K. I<MAM<K3I<K 

trichotomy,  169 

VI  H.M<IVM=IVI<M 

trichotomy2,  178 

VU  I.LEIGTH(U)SIVI<LE§GTH(U) 
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trivial.appalist.  62 

VALIST.-.Y€MKLSET(DOB(ALIST))DiPPALIST(Y,ALIST)=SIL 

trivial.nthcdr. 4T 

VU  i.LEHGTH(U)<I3HTHCDR<U,I)=IIL 

undef ,  53 

VI  SETSEQ  .  UH  (SETSEQ , 0)  =EIfPTYSETAim  ( SETSEQ ,  I O  =UI  (SETSEQ ,  DuSETSEQ  (I ) 
unionfactl.  194 

VSETSEQ  I  M.M<HDSETSEQ(M)CU1(SETSEQ,H) 

uiiiqueiiess_injectiTity,  52 
VU  .UHIQUEIESS(U)^IHJ (U) 

uniquenessdef .  175 

VU  X.UIIQUEIESS  IIL  A  (UIIQUEIESSCX .U)SnMEMBER(X ,U)AUIIQUEIESS(U) ) 

zero_non_less_successor,  168 

VI 

zero.not^successor,  165 
VI. -.(1^=4)) 

zeroleast. 168 
VI.O<I 

zeroleastl,  164 
VI.-tKO 

zeroleast2,  165 
VI.-iI~ODO<I 

zeroleastS,  165 
VI.O<I' 
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